Prevent user from having to enter mutliple confirmation codes during signUp/signIn

[HappyMakadiyaS]

Updated Description

When MFA is enabled, or a custom auth flow is used that sends OTP, the user is forced to enter multiple confirmation codes in order to sign up and then subsequently sign in. Ideally they should not have to enter codes multiple times in a row.

Note: Previously this FR mentioned auto sign in in Amplify JS. Since the auto sign in feature in Amplify JS does not solve for this use case, we will track this request separately.

Original Description

Required `autoSignIn` parameter in `Amplify.Auth.signUp()` to auto sign in after the user is confirmed. As I have a custom auth flow for sending otp on every signUp and SignIn so calling signUp and signIn concurrently produces OTP a couple of times to make it work like autoSignIn. Better to have one option like javascript already has: [Doc](https://docs.amplify.aws/lib/auth/emailpassword/q/platform/js/#:~:text=attributes%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%2C-,autoSignIn,-%3A%20%7B%20//%20optional) ### Categories - [ ] Analytics - [ ] API (REST) - [ ] API (GraphQL) - [X] Auth - [ ] Authenticator - [ ] DataStore - [ ] Storage ### Steps to Reproduce NA ### Screenshots _No response_ ### Platforms - [ ] iOS - [ ] Android - [ ] Web - [ ] macOS - [ ] Windows - [ ] Linux ### Android Device/Emulator API Level _No response_ ### Environment ```bash Doctor summary (to see all details, run flutter doctor -v): [✓] Flutter (Channel stable, 3.3.8, on macOS 13.0.1 22A400 darwin-arm, locale en-IN) [✓] Android toolchain - develop for Android devices (Android SDK version 33.0.0) [✓] Xcode - develop for iOS and macOS (Xcode 14.1) [✓] Chrome - develop for the web [✓] Android Studio (version 2021.3) [✓] VS Code (version 1.73.1) [✓] Connected device (3 available) [✓] HTTP Host Availability • No issues found! ``` ### Dependencies ```bash Dart SDK 2.18.4 Flutter SDK 3.3.8 spdemo 1.0.0+1 dependencies: - amplify_auth_cognito 0.6.10 [amplify_auth_cognito_android amplify_auth_cognito_ios amplify_core aws_common collection flutter meta plugin_platform_interface] - amplify_flutter 0.6.10 [amplify_core amplify_datastore_plugin_interface amplify_flutter_android amplify_flutter_ios aws_common collection flutter meta plugin_platform_interface] - cupertino_icons 1.0.5 - flutter 0.0.0 [characters collection material_color_utilities meta vector_math sky_engine] - fluttertoast 8.1.1 [flutter flutter_web_plugins] transitive dependencies: - amplify_auth_cognito_android 0.6.10 [flutter] - amplify_auth_cognito_ios 0.6.10 [amplify_core flutter] - amplify_core 0.6.10 [aws_common collection flutter intl json_annotation meta plugin_platform_interface uuid] - amplify_datastore_plugin_interface 0.6.10 [amplify_core collection flutter meta] - amplify_flutter_android 0.6.10 [flutter] - amplify_flutter_ios 0.6.10 [amplify_core flutter] - async 2.9.0 [collection meta] - aws_common 0.1.1 [async collection http meta stream_transform uuid] - characters 1.2.1 - clock 1.1.1 - collection 1.16.0 - crypto 3.0.2 [typed_data] - flutter_web_plugins 0.0.0 [flutter js characters collection material_color_utilities meta vector_math] - http 0.13.5 [async http_parser meta path] - http_parser 4.0.2 [collection source_span string_scanner typed_data] - intl 0.17.0 [clock path] - js 0.6.4 - json_annotation 4.7.0 [meta] - material_color_utilities 0.1.5 - meta 1.8.0 - path 1.8.2 - plugin_platform_interface 2.1.3 [meta] - sky_engine 0.0.99 - source_span 1.9.0 [collection path term_glyph] - stream_transform 2.1.0 - string_scanner 1.1.1 [source_span] - term_glyph 1.2.1 - typed_data 1.3.1 [collection] - uuid 3.0.6 [crypto] - vector_math 2.1.2 ``` ### Device N/A ### OS N/A ### Deployment Method Amplify CLI ### CLI Version 10.5.1 ### Additional Context _No response_ ### Amplify Config N/A

[dnys1]

Hi @HappyMakadiyaS - with the autoSignIn feature, OTP codes still need to be entered into confirmSignUp and confirmSignIn. The feature simply prevents having to call signIn after signUp.

Does that align with your use case? If not, can you explain in more detail what you'd like to see from this feature?

[DogukanZengin]

Having this feature in amplify-js library but not in amplify-flutter creates a mismatch of implementations on Cognito lambda triggers if you have both clients. It would be great to have this feature

[sumchans]

Has this been implemented? I also would like to know if autoSignIn can be done the user signs up. My sign up flow is passwordless which means user will be signed in if they put in the correct otp.

await Amplify.Auth.signUp(
        username: user.phoneNumber,
        password: 'bol_$user.phoneNumber',
        options: SignUpOptions(
          userAttributes: userAttributes,
        ),
      );

[dnys1]

This feature is still unimplemented in the Amplify Flutter libraries and I do not have an estimate on when it may be worked on. I apologize for the mismatch this creates between the Flutter and JS libraries.

[bookofdom]

This feature would be very helpful since now we ask a user to sign up and force them to sign in immediately after. It feels like a broken workflow, to be honest.

This actually creates a significant issue for us as calling signin again forces the user through a second OTP.

@dnys1 Can we get a ETA? This is impacting sign ups for our app.

[maziarzamani]

Totally agree +1

[Jordan-Nelson]

We still do not have an estimate on when this will be implemented. However, I wanted to note a few ways that this could be achieved today.

The Authenticator UI component does perform auto sign in. I would encourage folks to see if the Authenticator meets their needs. If you find that the Authenticator UI component does not fit your use case please feel free to share that feedback so that we can look to improve it.

Aside from the Authenticator component, this can be implemented without having the customer fill out two forms. Both the JS lib and the Authenticator component achieve auto sign in by temporarily holding the sign up data in memory, so that the signIn API can be called immediately after signUp/confirmSignUp without the user having to take any action. This same method can be implemented within your app.

[Jordan-Nelson]

@sumchans - How are you implementing passwordless login? There are a couple ways that it can be achieved today. It doesn't appear that you are using Cognito's custom auth. Are you using MFA as a workaround?

I think the methods I mentioned above would likely apply to your use case as well, although I would need to know a little bit more about how you implemented passwordless to say for sure.

[bookofdom]

We still do not have an estimate on when this will be implemented. However, I wanted to note a few ways that this could be achieved today.

The Authenticator UI component does perform auto sign in. I would encourage folks to see if the Authenticator meets their needs. If you find that the Authenticator UI component does not fit your use case please feel free to share that feedback so that we can look to improve it.

Aside from the Authenticator component, this can be implemented without having the customer fill out two forms. Both the JS lib and the Authenticator component achieve auto sign in by temporarily holding the sign up data in memory, so that the signIn API can be called immediately after signUp/confirmSignUp without the user having to take any action. This same method can be implemented within your app.

@Jordan-Nelson Thanks for your reply, we unfortunately require a OTP to be sent with SignIn wouldn't calling the signin API immediately following signUp/confirmSignUp trigger this as well?

Thanks again.

[Jordan-Nelson]

@bookofdom - Yes it would. I don't think this is a use case covered by the JS library or the flutter Authenticator. Both would automatically call signIn, but the user would then have to enter the OTP code.

I am not sure if there is any way avoid entering the OTP. Sign In and Sign Up are two distinct operation in Cognito. I would need to do some investigation to see if there is any way to work around that. We can note that as a requirement but I think the initial iteration of this would likely not cover that use case.

[Jordan-Nelson]

@maziarzamani - Let us know if you have a similar requirement, or if there is any other reason the approach of calling signIn after signUp would not work for your use case. Thanks.

[sumchans]

@sumchans - How are you implementing passwordless login? There are a couple ways that it can be achieved today. It doesn't appear that you are using Cognito's custom auth. Are you using MFA as a workaround?

I think the methods I mentioned above would likely apply to your use case as well, although I would need to know a little bit more about how you implemented passwordless to say for sure.

I have done it using MFA. I still need to call Sign in after the signup process which means the user will receive two OTPs one for the sign up and then the sign in. I am still waiting for this to be implemented.

[Jordan-Nelson]

@DogukanZengin - Do you also have MFA enabled and are looking to prevent the user from having to enter a confirmation code during sign up and sign in?

[Jordan-Nelson]

Since it sounds like the majority of folks are looking to prevent end users from entering multiple confirmation codes during the sign up and initial sign in flow, I have updated the issue description and title to reflect that.

As I mentioned in a previous comment, the auto sign in API from Amplify JS does not resolve this. The end user would still be required to enter a confirmation code for sign up AND sign in. However, if you are looking for this to be supported in Amplify Flutter, please feel free to open a new feature request. Please include your use case in the request so that we can ensure the API would solve for it.

[edotmills]

@maziarzamani - Let us know if you have a similar requirement, or if there is any other reason the approach of calling signIn after signUp would not work for your use case. Thanks

When creating a new user account calling signup already sends an OTP. The SignUp call does not log you in. So calling SignIn right after SignUp makes you re verity with the OTP. This is an awkward flow. I would recommend having SignUp log a user in also.

[monta-zaroui]

Can you provide me with an update regarding this feature? Many developers are eagerly anticipating its release. For instance, Tinder uses passwordless sign-up, when a user signs up he gets a confirmation code, and when signup is confirmed the user will be automatically signed in without the need to do the OTP confirmation twice. it's better for the user experience and also saves costs

I have used Firebase, which also supports this feature.