search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.42k stars 2.12k forks source link

After Cognito Hosted UI redirects with `code=` but Auth says "signIn_failure" #10833

Closed Bersaelor closed 1 year ago

Bersaelor commented 1 year ago

Before opening, please confirm:

JavaScript Framework

Not applicable

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

``` System: OS: macOS 13.0.1 CPU: (8) x64 Apple M1 Memory: 254.18 MB / 16.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 14.18.2 - ~/.nvm/versions/node/v14.18.2/bin/node Yarn: 1.22.19 - ~/.yarn/bin/yarn npm: 6.14.15 - ~/.nvm/versions/node/v14.18.2/bin/npm Watchman: 2022.12.26.00 - /opt/homebrew/bin/watchman Browsers: Chrome: 108.0.5359.124 Firefox: 106.0.3 Safari: 16.1 npmPackages: @solidjs/router: ^0.6.0 => 0.6.0 @suid/icons-material: ^0.5.3 => 0.5.3 @suid/material: ^0.8.2 => 0.8.2 @suid/vite-plugin: ^0.1.0 => 0.1.0 aws-amplify: ^5.0.8 => 5.0.8 solid-js: ^1.6.6 => 1.6.6 solid-js/h: undefined () solid-js/h/jsx-dev-runtime: undefined () solid-js/h/jsx-runtime: undefined () solid-js/html: undefined () solid-js/store: undefined () solid-js/universal: undefined () solid-js/web: undefined () typescript: ^4.9.4 => 4.9.4 vite: ^4.0.3 => 4.0.3 vite-plugin-solid: ^2.5.0 => 2.5.0 npmGlobalPackages: gatsby-cli: 4.14.0 npm: 6.14.15 serve: 14.1.2 serverless: 3.25.1 ts-node: 10.9.1 typescript: 4.9.3 ```

Describe the bug

I'm currently trying to setup a Solid.js app AWS Auth so I can use my cognito pools with a Hosted UI. I have done this a few times with React based apps, but there I always relied on aws-amplify-react for the UI components, not the Hosted UI.

Now, in my main index.js I setup AWS using Amplify.configure(awsConfig) with

const awsConfig = {
    Auth: {
        region: 'us-east-1',
        userPoolId: 'us-east-1_***',
        userPoolWebClientId: '***',
        identityPoolId: 'us-east-1:***',

        oauth: {
            domain: 'auth.mydomain.art',
            scope: ['email'],
            redirectSignIn: document.location.origin,
            redirectSignOut: document.location.origin,
            responseType: 'code'
        }
    }
   },

and when I click the signIn button it forwards me to the Hosted UI, hosted on auth.mydomain.art. After entering username+password, it redirects me back to http://localhost:3000/?code=*** with the code supplied. Then the code seems to be used & disposed by the Amplify-Auth, so that is disappears. Then I can see a

fetch-http-handler.ts:67          POST https://cognito-identity.us-east-1.amazonaws.com/ 400

in the console and some errors around 'A failure occurred when returning to the Cognito Hosted UI.

Expected behavior

AWS Auth consumes the code and Auth.currentAuthenticatedUser() returns an authenticated user

Reproduction steps

  1. setup minimal html site, with associated Cognito Pool with hosted UI
  2. create Identity Pool, set user pool id and app client id in "Authentication providers"
  3. call Amplify.configure(awsConfig) during page startup
  4. call Auth.federatedSignIn() and get forwarded to the Hosted UI
  5. enter credentials, get directed back to my page, code is first there and then swallowed by the amplify libs.
  6. no authenticated user

Code Snippet

import { Auth, Hub } from 'aws-amplify';

const handler = ({ payload }: { payload: any}) => {
  console.log('auth event', payload)
  switch (payload.event) {
    case 'configured':
    case 'signIn':
    case 'signIn_failure':
    case 'signOut':
      refreshState()
      break

    default:
      break
  }
}

const subscribeToAuthChanges = () => {
  authChangeListener = Hub.listen('auth', handler)
}

onMount(async () => {
  const urlParams = new URLSearchParams(window.location.search);
  const authCode = urlParams.get('code');
  console.log("authCode: ", authCode)
  subscribeToAuthChanges()
});

const signIn = () => {
  Auth.federatedSignIn()
}

Log output

``` Configuring Amplify next App.tsx:21 authCode: 291219ef-c91d-4e53-b633-d6c27d6506f3 cognito.ts:43 refreshing state fetch-http-handler.ts:67 POST https://cognito-identity.us-east-1.amazonaws.com/ 400 ... AmplifyClass2.configure @ Amplify.ts:73 (anonymous) @ index.tsx:11 cognito.ts:17 auth event {event: 'signIn_failure', data: ValidationException: 1 validation error detected: Value '{cognito-idp.us-east-1.amazonaws.com/us-ea…, message: 'The OAuth response flow failed'}data: ValidationException: 1 validation error detected: Value '{cognito-idp.us-east-1.amazonaws.com/us-east-1_XZcnYdUZv=}' at 'logins' failed to satisfy constraint: Map value must satisfy constraint: [Member must have length less than or equal to 50000, Member must have length greater than or equal to 1] at http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:42817:51 at step (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26513:19) at Object.next (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26460:14) at fulfilled (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26431:24)event: "signIn_failure"message: "The OAuth response flow failed"[[Prototype]]: Object cognito.ts:43 refreshing state cognito.ts:17 auth event {event: 'cognitoHostedUI_failure', data: ValidationException: 1 validation error detected: Value '{cognito-idp.us-east-1.amazonaws.com/us-ea…, message: 'A failure occurred when returning to the Cognito Hosted UI'}data: ValidationException: 1 validation error detected: Value '{cognito-idp.us-east-1.amazonaws.com/us-east-1_XZcnYdUZv=}' at 'logins' failed to satisfy constraint: Map value must satisfy constraint: [Member must have length less than or equal to 50000, Member must have length greater than or equal to 1] at http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:42817:51 at step (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26513:19) at Object.next (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26460:14) at fulfilled (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26431:24)event: "cognitoHostedUI_failure"message: "A failure occurred when returning to the Cognito Hosted UI"[[Prototype]]: Object cognito.ts:17 auth event {event: 'customState_failure', data: ValidationException: 1 validation error detected: Value '{cognito-idp.us-east-1.amazonaws.com/us-ea…, message: 'A failure occurred when returning state'}data: ValidationException: 1 validation error detected: Value '{cognito-idp.us-east-1.amazonaws.com/us-east-1_XZcnYdUZv=}' at 'logins' failed to satisfy constraint: Map value must satisfy constraint: [Member must have length less than or equal to 50000, Member must have length greater than or equal to 1] at http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:42817:51 at step (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26513:19) at Object.next (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26460:14) at fulfilled (http://localhost:3000/node_modules/.vite/deps/aws-amplify.js?v=109458d1:26431:24)event: "customState_failure"message: "A failure occurred when returning state"[[Prototype]]: Object 2cognito.ts:53 user not signed in due to The user is not authenticated ```

aws-exports.js

``` const awsConfig = { Auth: { region: 'us-east-1', userPoolId: 'us-east-1_***', userPoolWebClientId: '***', identityPoolId: 'us-east-1:***', oauth: { domain: 'auth.mydomain.art', scope: ['email'], redirectSignIn: document.location.origin, redirectSignOut: document.location.origin, responseType: 'code' } } }, ```

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

Bersaelor commented 1 year ago

If I don't provide the Identity Pool ID (I have not used an Identity pool in other apps, and they authenticated fine without one), I get 

signIn_failure: Username and pool information are required.
cognitoHostedUI_failure: Username and pool information are required.
customState_failure: Username and pool information are required.

and the 400 for cognito-identity.us-east-1.amazonaws.com doesn't pop up.

This seems the same problem as this one

Bersaelor commented 1 year ago

Alright, so it turns out what fixed it was replacing:

      scope: [
        "email"
      ],

with

      scope: [
        "email",
        "openid"
      ],

so it seems you have to match the values that are enabled in the AWS console for the User pool exactly.