aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.43k stars 2.13k forks source link

Support completing an OAuth flow that is not initiated by Amplify (signInWithRedirect) #13343

Open bbdev9805 opened 6 months ago

bbdev9805 commented 6 months ago

Before opening, please confirm:

JavaScript Framework

Angular

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

Amplify CLI

Environment information

``` # Put output below this line System: OS: macOS 14.1 CPU: (12) arm64 Apple M3 Pro Memory: 66.95 MB / 18.00 GB Shell: 3.2.57 - /bin/bash Binaries: Node: 16.20.0 - /usr/local/bin/node npm: 8.19.4 - /usr/local/bin/npm Browsers: Chrome: 124.0.6367.119 Safari: 17.1 npmPackages: aws-amplify: ^6.0.28 => 6.0.28 npmGlobalPackages: @angular/cli: 16.2.0 @aws-amplify/cli: 12.10.1 corepack: 0.17.0 npm: 8.19.4 ```

Describe the bug

SSO via SAML works for SP-initiated but not for IdP-initiated SSO after upgrading to v6 from v5. I am redirected from the Idp to [https://www.example.com/?code=[Authorization](https://www.example.com/?code=%5BAuthorization) code] but cannot obtain the authentication token. When the getCurrentUser API is executed, a UserUnAuthenticatedException error occurs. IdP-initiated SSO also works in V5. This needs to be resolved immediately if IdP-initiated SSO is to be supported. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation-idp-initiation.html

Expected behavior

As in V5, the token can be obtained correctly after redirecting from the Idp.

Reproduction steps

  1. Access Idp's portal page.
  2. Select the displayed application.
  3. Redirect to https://www.example.com?code=[Authorization code].
  4. UserUnAuthenticatedException error occurs by getCurrentUser() .

Code Snippet

// Put your code below this line.

// Execute `getCurrentUser()` after being redirected from Idp.
await Auth.getCurrentUser();

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

israx commented 6 months ago

hello @bbdev9805 . Sorry for any inconvenience using the library. Amplify v6 supports OAuth flows initiated from the same App only. You would need to kick off the OAuth flow by calling the signInWithRedirect API

bbdev9805 commented 6 months ago

@israx I have confirmed that it works with the signInWithRedirect API. However, when using IdP-initiated SSO, redirection occurs, making it impossible to use the signInWithRedirect API. What does it mean that IdP-initiated SSO, which was recently supported, cannot be used with Amplify v6? https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation-idp-initiation.html

israx commented 6 months ago

supporting IdP logins would be a feature request. The Auth singleton in Amplify v5 has a listener that would capture any code query param returned from the social provider and finish the authentication process. Ideally we would need to have a dedicated API that allows to do the same.

Pylinho commented 4 months ago

@israx have you got any further with the request to fix/begin supporting IdP logins again in v6? I am relying on this to upgrade from Amplify v5 -> v6.

Cheers.

chapati commented 4 months ago

+1 for support please

hakonmuggerud commented 4 months ago

+1 as well. We are depending on this featured to be able to upgrade to version 6

TimTimT commented 4 months ago

+1 Same

Maxiweb commented 4 months ago

+1 Cant update to v6 without this

OmarMuhtaseb commented 3 months ago

+1

OmarMuhtaseb commented 3 months ago

FYI, There was a duplicate issue, and it was suggested to downgrade to v5

https://github.com/aws-amplify/amplify-js/issues/12983#issuecomment-1934469713

israx commented 3 months ago

Hello everyone. I'll revisit this issue with the team to discuss its prioritization. Thank you for your patience.

jhw commented 3 months ago

I deleted my comment because I think in retrospect it wasn't related to this specify issue - it seems I had in fact failed to configure my S3 bucket properly for SPA hosting - so apologies for that

pedrokiefer commented 3 months ago

+1

tllatruw commented 1 month ago

Hi @israx , Is there any news on this? I suppose the conclusion was that this is not a priority?

cwomack commented 1 month ago

@tllatruw and anyone following this feature request, just wanted to check in. While we don't have an ETA on when this will be supported, it's still being reviewed internally by our team. We will provide an update as soon as we can.