Devices are not being tracked

[u382514]

Description

When signing in using Amplify.Auth.signIn, using User Srp Auth, I expected the 'confim device' api to be hit and my device to show up under tracked devices. This is not happening.

Am I missing something here or is something else that hasn't been implemented in the ^1.0.0-next.0 version?

Categories

• [ ] Analytics
• [ ] API (REST)
• [ ] API (GraphQL)
• [X] Auth
• [ ] Authenticator
• [ ] DataStore
• [ ] Storage

Steps to Reproduce

No response

Screenshots

No response

Platforms

• [X] iOS
• [X] Android
• [X] Web
• [X] macOS
• [X] Windows
• [X] Linux

Android Device/Emulator API Level

No response

Environment

[✓] Flutter (Channel stable, 3.3.0, on macOS 12.5.1 21G83 darwin-x64, locale en-US)
[✓] Android toolchain - develop for Android devices (Android SDK version 31.0.0)
[✓] Xcode - develop for iOS and macOS (Xcode 13.4.1)
[✓] Chrome - develop for the web
[✓] Android Studio (version 2021.1)
[✓] IntelliJ IDEA Community Edition (version 2020.3.2)
[✓] VS Code (version 1.70.2)
[✓] Connected device (3 available)
[✓] HTTP Host Availability

Dependencies

amplify_auth_cognito: ^1.0.0-next.0
amplify_flutter: ^1.0.0-next.0

Device

N/A

OS

N/A

Deployment Method

Custom Pipeline

CLI Version

No response

Additional Context

No response

Amplify Config

const amplifyConfig = ''' { "UserAgent": "aws-amplify-cli/2.0", "Version": "1.0", "auth": { "plugins": { "awsCognitoAuthPlugin": { "IdentityManager": { "Default": {} }, "CognitoUserPool": { "Default": { "PoolId": POOL_ID, "AppClientId": CLIENT_ID, "Region": "ca-central-1" } }, "Auth": { "Default": { "authenticationFlowType": "USER_SRP_AUTH", "OAuth": { "WebDomain": WEB_DOMAIN, "AppClientId": CLIENT_ID, "SignInRedirectURI": "myapp://", "SignOutRedirectURI": "myapp://", "Scopes": [ "phone", "email", "openid", "profile", "aws.cognito.signin.user.admin" ] } } } } } } }''';

[fjnoyp]

Hi @u282514 how do you call user sign in? Which platforms have you tested on and noticed this issue and how are you validating that devices are being tracked?

[u382514]

I call it by using the signIn method (Amplify.Auth.signIn) with username and password. Username being the email alias. Also, we are using USER SRP AUTH. I've tested on IOS, Android, MacOS, Windows and Web. It's why I chose to use the 'next' branch as it aims to handle all platforms. Cognito settings for MFA are Opt-In, device tracking is set to ALWAYS with suppression of MFA on trusted devices.

I've tested to make sure it wasn't Cognito by quickly throwing together a routine using the amplify javascript sdk and it worked like a charm. So it's something in this particular package/branch.

[dnys1]

Hi @u382514 - the issue seems to be that you don't have an identity pool configured. We are currently working on improving our "user-pool only" support right now. At the moment, though, an identity pool is required for device tracking unfortunately.

I can leave this issue open until that is resolved.

[u382514]

Awesome! I set up an identity pool and indeed that solved the issue. It would be nice to support "user-pool only", however, I don't really have a valid reason NOT to use an identity pool anyways so this setup is fine and easy to reason with. Thanks for the quick response!

[u382514]

Looks like now I'm having another issue. It seems that I keep getting a new device key every time I log in, so the list of devices just keeps growing. It's as if it's not pulling the cache from indexDB. Is there some extra setup that is needed? I do see that the db is being filled with the keys.

[dnys1]

Hmm, so you are calling signIn with the same username each time, correct? And then calling signOut?

[u382514]

Yep, calling the same user. In fact, it's the only user in the system as I'm using it to develop against. In AWS Cognito's device list it just keeps racking up new ones any time I log in. The 'remember device' piece is working (shows yes when trusted and no when not in the Cognito UI). I am indeed just calling the signOut function too. Nothing fancy and there's nothing layered in the UI I'm working on that would seem to disrupt any processes.

[dnys1]

I'm not able to reproduce the behavior. Can you confirm you are not calling Amplify.Auth.forgetDevice at any point?

shows yes when trusted and no when not in the Cognito UI

Can you clarify what you mean here, maybe with pics of the behavior you're seeing?

[dnys1]

Hi @u382514, I believe this has been fixed in the latest version. Can you run flutter pub upgrade and verify?

[u382514]

Nope, still doesn't work for me. Upgraded all packages and even started a new project. Using Web -> I log in, put the confirm code and remember device. Shows up in cognito correctly, shows up in the indexDb correctly. I sign out then immediately sign back in. Tells me I need to confirm even though the indexDB still shows the correct device key information from before. I confirm with the code and it resets all of the indexDB device information to the new information. Creates a new entry in Cognito. I'm not doing anything out of the ordinary in the code. Just running a simple linear process without any deviation to the package. Same results running flutter on any simulator/device. I tried debugging before but the structure of these packages don't seem to make that process very easy with how it injects plugins. I'll try again at some point in the near future.

[dnys1]

Thanks for trying again, @u382514. I'll do some more investigation as well.

[dnys1]

Can you please confirm the settings listed in the user pool console for Device Tracking?

[dnys1]

I did release one more small fix today. It should be in alignment with Cognito now. The reason I asked the last question is because the behavior of device tracking largely depends on the configuration of the user pool.

When devices are always remembered, no further work is needed by users after logging in for device tracking to take effect. However, for "user opt-in", a call to Amplify.Auth.rememberDevice is needed before a device is actually remembered. Depending on the MFA configuration, this is the only way to ensure a device is issued one device key. For certain MFA configurations, Cognito will issue a new device key on every login unless the device is remembered. The fix I released today handled the non-MFA related cases where a device key was being replaced.

I hope this helps clarify a little bit. I know it's confusing. Please let me know if there's anything I can explain further.

[u382514]

I appreciate all the help I can get, so thank you very much for spending time on this! I use other versions of the Amplify SDK in other accounts/user pools without issue and without duplication of device keys where the setup is using "user opt-in" for remembering devices. This particular Cognito pool, however, is using "opt-in MFA" while the others I work with are mandatory. I do indeed call the Amplify.Auth.rememberDevice in this environment and can confirm that Cognito is registering the device as remembered. I'll make some user pool setup changes today and report back.

[dnys1]

Happy to help, @u382514. It seems that when MFA is enabled and the device is not remembered, Cognito will generate a new device key for each login. It could be this is an extra layer of security, although I'm working on getting a more specific answer from the Cognito team. Disabling MFA or remembering the device should resolve the issue, though. Please let me know if it persists after that.

[alondahari]

+1 for allowing this to work without having to set up an identity pool.

[dnys1]

@jazzdragon as of the latest version (1.0.0-next.8), an identity pool should no longer be required.

[alondahari]

@dnys1 I updated the Amplify package to 1.0.0 and removed the identity pool from the configs. Seems now the device is remembered and I'm able to log in, but a code is still sent to my phone.

[alondahari]

Just to clarify, my user has MFA set up and turned on, and device remembering is set to "always remember". When signing in I am not required to respond to MFA challenge since my device is remembered, but the code is still sent to my phone.

[dnys1]

Hi @jazzdragon, can you clarify the following?

• Are you using the Authenticator, or calling the Auth APIs manually?
• Is the code being sent on only the first login or on every login?

[alondahari]

• manually
• every login

[dnys1]

In addition to having MFA enabled, and devices remembered, you must also have set in your user pool the option to trust remembered devices. Can you confirm your user pool settings look like this?

[dnys1]

@u382514 @jazzdragon are either of you still experiencing issues with MFA + device remembrance?

I believe the first issue in this thread (a new device key being generated on each sign-in) is due to a limitation in Cognito for which the current workaround is to call Amplify.Auth.rememberDevice().

The second issue sounded like a misconfiguration in the backend, although I would need more information to investigate.

Please respond if you need more assistance on either front. If I don't hear from you within 7 days, I will be closing this issue.

[alondahari]

I think we solved the issue, thank you

[u382514]

Yes, this is all good now.