search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.43k stars 2.13k forks source link

Getting signed out while trying to sign in via Azure AD #12975

Open simha453 opened 8 months ago

simha453 commented 8 months ago

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

Older than v5

Amplify Categories

auth

Backend

None

Environment information

``` # Put output below this line System: OS: Windows 10 10.0.19045 CPU: (4) x64 Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz Memory: 8.20 GB / 15.89 GB Binaries: Node: 14.20.1 - C:\Program Files\nodejs\node.EXE npm: 6.14.17 - C:\Program Files\nodejs\npm.CMD Browsers: Edge: Chromium (121.0.2277.98) Internet Explorer: 11.0.19041.3636 npmPackages: @azure/msal-browser: ^2.36.0 => 2.36.0 @azure/msal-react: ^1.5.6 => 1.5.6 @chakra-ui/cli: ^1.3.0 => 1.7.0 @chakra-ui/react: ^1.6.0 => 1.7.4 @deepstream/client: ^6.0.5 => 6.0.5 @emotion/react: ^11.1.5 => 11.7.1 @emotion/styled: ^11.3.0 => 11.6.0 @fontsource/open-sans: ^4.2.2 => 4.5.2 @fontsource/roboto: ^4.2.3 => 4.5.1 @react-leaflet/core: ^1.0.2 => 1.0.2 @syncfusion/ej2-react-gantt: ^19.4.56 => 19.4.56 @syncfusion/ej2-react-grids: ^19.4.56 => 19.4.56 @testing-library/jest-dom: ^5.12.0 => 5.16.1 @testing-library/react: ^10.4.9 => 10.4.9 @testing-library/user-event: ^12.8.3 => 12.8.3 @types/react-select: ^4.0.15 => 4.0.18 @typescript-eslint/eslint-plugin: ^5.33.0 => 5.33.0 (1.6.0, 4.33.0) @typescript-eslint/parser: ^5.33.0 => 5.33.0 (1.6.0, 4.33.0) ag-grid-base-icons: 1.0.0 ag-grid-community: ^26.2.1 => 26.2.1 ag-grid-enterprise: ^26.2.1 => 26.2.1 ag-grid-react: ^26.2.0 => 26.2.0 aws-amplify: ^4.2.9 => 4.3.12 aws-sdk: ^2.893.0 => 2.1060.0 axios: ^0.21.1 => 0.21.4 connected-react-router: ^6.9.1 => 6.9.2 crypto-js: ^4.0.0 => 4.1.1 date-fns: ^2.21.1 => 2.28.0 dotenv: ^8.2.0 => 8.6.0 (6.2.0, 8.2.0) eslint: ^8.21.0 => 8.21.0 (5.16.0, 7.32.0) eslint-config-airbnb: ^19.0.4 => 19.0.4 eslint-config-prettier: ^8.5.0 => 8.5.0 eslint-config-react-app: ^7.0.1 => 7.0.1 (4.0.1, 6.0.0) eslint-config-standard: ^17.0.0 => 17.0.0 eslint-plugin-import: ^2.26.0 => 2.26.0 (2.16.0) eslint-plugin-n: ^15.2.4 => 15.2.4 eslint-plugin-prettier: ^4.0.0 => 4.2.1 eslint-plugin-promise: ^6.0.0 => 6.0.0 eslint-plugin-react: ^7.30.1 => 7.30.1 (7.12.4) eslint-plugin-react-hooks: ^4.6.0-next-be229c565-20220613 => 4.6.0 (1.7.0) export-from-json: ^1.4.0 => 1.5.1 face-api.js: ^0.22.2 => 0.22.2 framer-motion: ^4.1.9 => 4.1.17 frappe-gantt-react: ^0.2.2 => 0.2.2 fusioncharts: ^3.17.0 => 3.18.0 history: ^4.10.1 => 4.10.1 html-to-image: ^1.11.11 => 1.11.11 html2canvas: ^1.4.1 => 1.4.1 husky: ^8.0.0 => 8.0.1 js-xlsx-map: ^0.10.3 => 0.10.3 jspdf: ^2.5.1 => 2.5.1 leaflet: ^1.9.1 => 1.9.1 lint-staged: ^11.0.0 => 11.2.6 lodash: ^4.17.21 => 4.17.21 memo-parser: undefined (0.2.0) moment: ^2.29.1 => 2.29.1 node-sass: ^5.0.0 => 5.0.0 object-hash: ^3.0.0 => 3.0.0 (1.3.1) prettier: ^2.6.2 => 2.7.1 pubnub: ^4.32.0 => 4.37.0 pubnub-react: ^2.1.0 => 2.1.1 qrcode.react: ^1.0.1 => 1.0.1 react: ^17.0.2 => 17.0.2 (16.14.0) react-big-calendar: ^0.33.3 => 0.33.6 react-countdown-clock: ^2.8.1 => 2.9.0 react-data-export: ^0.6.0 => 0.6.0 react-datepicker: ^4.1.0 => 4.6.0 react-dom: ^17.0.2 => 17.0.2 (16.14.0) react-dropzone: ^11.3.4 => 11.5.1 react-error-overlay: ^6.0.9 => 6.0.9 react-event-timeline: ^1.6.3 => 1.6.3 react-fusioncharts: ^3.1.2 => 3.1.2 react-ga: ^3.3.0 => 3.3.0 react-global-configuration: ^1.4.1 => 1.4.1 react-google-maps: ^9.4.5 => 9.4.5 react-gtm-module: ^2.0.11 => 2.0.11 react-hook-form: ^7.3.4 => 7.24.2 react-icons: ^4.6.0 => 4.6.0 react-json-to-table: ^0.1.7 => 0.1.7 react-keyboard-event-handler: ^1.5.4 => 1.5.4 react-leaflet: ^3.1.0 => 3.1.0 react-lodash: ^0.1.2 => 0.1.2 react-mentions: ^4.3.0 => 4.3.1 react-modern-calendar-datepicker: ^3.1.6 => 3.1.6 react-moment: ^1.1.1 => 1.1.1 react-phone-input-2: ^2.14.0 => 2.14.0 react-query: ^3.13.12 => 3.34.8 react-redux: ^7.2.4 => 7.2.6 react-responsive-masonry: ^2.1.3 => 2.1.4 react-router-dom: ^5.2.0 => 5.3.0 react-scripts: ^4.0.3 => 4.0.3 (3.0.0) react-scrollbars-custom: ^4.0.25 => 4.0.27 react-select: ^4.3.1 => 4.3.1 react-select-async-paginate: ^0.6.0 => 0.6.1 react-sound: ^1.2.0 => 1.2.0 react-spinners: ^0.10.6 => 0.10.6 react-tappable: ^1.0.4 => 1.0.4 react-to-print: ^2.14.7 => 2.14.7 react-toastify: ^9.0.1 => 9.0.1 react-use: ^17.2.4 => 17.3.2 redux: ^4.1.0 => 4.1.2 redux-query: ^3.4.2 => 3.4.2 use-deep-compare-effect: ^1.8.1 => 1.8.1 uuidv4: ^6.2.7 => 6.2.12 web-vitals: ^0.2.4 => 0.2.4 xlsx: ^0.18.2 => 0.18.2 ```
outlok

Describe the bug

Upon attempting to "login using Outlook" in Cognito, users encounter an unexpected logout screen instead of being redirected to the login page of Outlook. This issue arises specifically after logging out from the application, not from the Outlook platform itself.

Expected behavior

It should go to login page of outlook azureAD

Reproduction steps

outlok

Code Snippet

// Put your code below this line.
import { Amplify, Auth, Hub } from 'aws-amplify'
const awsConfig = {
        Auth: {
            identityPoolId: `${process.env.REACT_APP_AD_IDENTITY_POOL_ID}`,
            region: `${process.env.REACT_APP_AWS_REGION}`,
            userPoolId: `${process.env.REACT_APP_AD_USER_POOL_ID}`,
            userPoolWebClientId: `${process.env.REACT_APP_AZURE_AD_WEB_NO_SECRETE_CLIENT_ID}`,
            oauth: {
                domain: `${process.env.REACT_APP_AD_DOMAIN_NAME}`,
                scope: ['email', 'openid'],
                redirectSignIn: isLocalhost()
                    ? 'http://localhost:3000/login'
                    : process.env.REACT_APP_REDIRECT_SIGNIN_URL,
                redirectSignOut: isLocalhost()
                    ? 'http://localhost:3000/login'
                    : process.env.REACT_APP_REDIRECT_SIGNOUT_URL,
                responseType: `${process.env.REACT_APP_AD_RESPONSE_TYPE}`,
                label: 'Log in with your company SSO',
                clientId: `${process.env.REACT_APP_AZURE_AD_WEB_NO_SECRETE_CLIENT_ID}`,
            },
        },
        Analytics: {
            disabled: true,
        },
    }
    Amplify.configure({ ...awsConfig, ssr: true })

    const onSetOTPAwsConfig = async ({ idToken }) => {
        // Set the region where your identity pool exists (us-east-1, eu-west-1)
        AWS.config.region = process.env.REACT_APP_AWS_REGION
        // Configure the credentials provider to use your identity pool
        AWS.config.credentials = new AWS.CognitoIdentityCredentials({
            IdentityPoolId: process.env.REACT_APP_AD_IDENTITY_POOL_ID,
            Logins: {
                [`cognito-idp.ap-south-1.amazonaws.com/${process.env.REACT_APP_AD_USER_POOL_ID}`]:
                    idToken.jwtToken,
            },
        })
    }

We are calling  Auth.federatedSignIn({ provider: 'AzureAD' }) once button is clicked

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

nadetastic commented 8 months ago

Hi @simha453 thank you for opening this issue. I'd like to clarify what you are experiencing - is this happening when:

  1. User signs out through - Auth.signOut()
  2. User tries to sign back in through - Auth.federatedSignIn({ provider: 'AzureAD' })
  3. They see the screenshot you shared above

Did i understand correctly?

simha453 commented 8 months ago

The scenario is, When the user tries to login first time, it works perfectly fine. But, when the user closes the tab or logout, and tries to login again by opening the new tab, user get this error page. Again the user has to close the tab and have to login again

simha453 commented 8 months ago

Hi @simha453 thank you for opening this issue. I'd like to clarify what you are experiencing - is this happening when:

  1. User signs out through - Auth.signOut()
  2. User tries to sign back in through - Auth.federatedSignIn({ provider: 'AzureAD' })
  3. They see the screenshot you shared above

Did i understand correctly? The scenario is, When the user tries to login first time, it works perfectly fine. But, when the user closes the tab or logout, and tries to login again by opening the new tab, user get this error page. Again the user has to close the tab and have to login again

nadetastic commented 8 months ago

@simha453 thanks for the clarification - it looks like the issue is on the Azure side where it looks like its processing a sign out rather than a sign in. Are you able to reproduce this without using Amplify? Specifically if you go to Cognito Hosted UI and try to login from there instead.

simha453 commented 8 months ago

We tried Cognito Hosted UI it's logging in perfectly. Sign-out page is not coming

simha453 commented 8 months ago

Any update on this ticket?.

simha453 commented 8 months ago

Looking for your reply, any update on this ticket

nadetastic commented 7 months ago

Hi @simha453 after looking at this a bit more, Im a bit curious on how you are using the function you have defined as onSetOTPAwsConfig(). From looking at it, it looks like it handling the identity pool credentials which may be causing a conflict with what Amplify does for you under the hood.

Can you clarify what it does, and possibly remove it and see if you still experience this issue/

simha453 commented 7 months ago

Here i am mentioning complete code and use of onSetOTPAwsConfig() , and i have removed and tested getting same error.

const [isError, setIsError] = useState(null)
    const [view, setView] = useState(EMAIL_FORM_VIEW.EMAIL_VIEW)
    const { mutate, isLoading } = useLoadOrganizationList()

    const { dispatch } = useAuthContext()

    const awsConfig = {
        Auth: {
            identityPoolId: `${process.env.REACT_APP_AD_IDENTITY_POOL_ID}`,
            region: `${process.env.REACT_APP_AWS_REGION}`,
            userPoolId: `${process.env.REACT_APP_AD_USER_POOL_ID}`,
            userPoolWebClientId: `${process.env.REACT_APP_AZURE_AD_WEB_NO_SECRETE_CLIENT_ID}`,
            oauth: {
                domain: `${process.env.REACT_APP_AD_DOMAIN_NAME}`,
                scope: ['email', 'openid'],
                redirectSignIn: isLocalhost()
                    ? 'http://localhost:3000/login'
                    : process.env.REACT_APP_REDIRECT_SIGNIN_URL,
                redirectSignOut: isLocalhost()
                    ? 'http://localhost:3000/login'
                    : process.env.REACT_APP_REDIRECT_SIGNOUT_URL,
                responseType: `${process.env.REACT_APP_AD_RESPONSE_TYPE}`,
                label: 'Log in with your company SSO',
                clientId: `${process.env.REACT_APP_AZURE_AD_WEB_NO_SECRETE_CLIENT_ID}`,
            },
        },
        Analytics: {
            disabled: true,
        },
    }
    Amplify.configure({ ...awsConfig, ssr: true })

    const onSetOTPAwsConfig = async ({ idToken }) => {
        // Set the region where your identity pool exists (us-east-1, eu-west-1)
        AWS.config.region = process.env.REACT_APP_AWS_REGION
        // Configure the credentials provider to use your identity pool
        AWS.config.credentials = new AWS.CognitoIdentityCredentials({
            IdentityPoolId: process.env.REACT_APP_AD_IDENTITY_POOL_ID,
            Logins: {
                [`cognito-idp.ap-south-1.amazonaws.com/${process.env.REACT_APP_AD_USER_POOL_ID}`]:
                    idToken.jwtToken,
            },
        })
    }

    const getUser = async () => {
        const { signInUserSession } = await Auth.currentAuthenticatedUser()
        console.log({ signInUserSession })
        if (signInUserSession?.idToken?.payload?.email) {
            sessionStorage.setItem(AUTH_SESSION_CHECK, true)
            sessionStorage.setItem(
                AUTH_SESSION_DATA,
                JSON.stringify(signInUserSession)
            )
            dispatch({
                type: loginConst.LOGIN,
                payload: signInUserSession,
            })
            setIsError(null)
            onValidationSuccess()
        } else {
            setIsError('Login Error')
        }
    }

    useEffect(() => {
        Hub.listen('auth', async ({ payload: { event, data } }) => {
            switch (event) {
                case 'signIn':
                case 'cognitoHostedUI':
                    await onSetOTPAwsConfig(data.signInUserSession)
                    await getUser()
                    break
                case 'signOut':
                    await Auth.signOut()
                    break
                case 'signIn_failure':
                case 'cognitoHostedUI_failure':
                    console.log('Sign in failure', data)
                    break
                default:
                    break
            }
        })

    }, [])
sumitsahoo commented 7 months ago

@nadetastic It is really a pain that AWS Amplify does not support Azure AD out of the box and we have to do workarounds. We are also implementing our company SSO and with v6 there has been a lot of change in APIs but no proper documentation.

BTW, Do we know how to avoid hosted UI? Also if I have only one login option i.e. via Azure AD, Can I skip hosted UI and directly redirect to MS login?

Resolved for me with #13119

simha453 commented 6 months ago

Any update on this ticket?

simha453 commented 6 months ago

Any update on this?

cwomack commented 6 months ago

@simha453 I'm not sure what you're trying to do with the sessionStorage part of your code, but that getUser() function may be messing with how Amplify is handling things out of the box. Similar to how you tried commenting out onSetOTPAwsConfig, can you see if commenting out/removing the getUser section (and where it's referenced in the Hub events) change the behavior at all?

And out of curiosity, have you considered upgrading to a more recent version of Amplify? v5 would require less work than the newest v6, but both would offer some improvements and fixes!

cwomack commented 6 months ago

@simha453, wanted to ping again and see if you had a chance to review the above comment.

simha453 commented 6 months ago

I have commented the getUser section and upgrading to latest versions v5, v6. I have tried the both cases . but not working getting same error. Give me any proper solution for this bug.

simha453 commented 5 months ago

any update ?

simha453 commented 4 months ago

any update ?

navv-christofer-flores commented 4 months ago

any update? or is there any config that can we set on AD side?

simha453 commented 4 months ago

Any update ?

simha453 commented 2 months ago

We have been waiting for a long time for your update. Give me update on this ASAP