Closed k1350 closed 3 weeks ago
@k1350, thanks for opening this issue and sorry to hearing your users are experiencing this.
CookieStorage
a subdomain or something different? @cwomack Thank you for your reply.
Can you share any detailed logs or network requests for when this happens.
The logs and network requests have not been captured.
Do you know any details around the version of Chrome these users are on?
OS: Windows 10
Browser: Chrome 129 (129.0.0.0)
Full User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Is your domain value within the CookieStorage a subdomain or something different?
If we set the domain of our application as example.com
, the domain for CookieStorage is also example.com
.
We are sharing cookies with another application running under the domain sub.example.com
.
For the users you interviewed... do you know if they are disabling cookie storage in Chrome specifically?
I have been informed that cookies are enabled.
This is additional information regarding the issue.
In our application, we added a process that signout and redirects them to the top page when a NotAuthorizedException
or UserNotFoundException
occurs during the execution of fetchAuthSession
yesterday.
As a result, the user encountering this issue have reported that the top page reloads repeatedly.
So I guess it comes down to this.
Sign-in is failing with the error: UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in.
However, on the other hand, a NotAuthorizedException
or UserNotFoundException
is occurring during the execution of fetchAuthSession
, and it seems that the sign-out process is not working correctly in this case.
The NotAuthorizedException
or UserNotFoundException
errors we have observed is:
We know that NotAuthorizedException: Token is inactive
occurs when a user is deactivated.
However, we have not been able to reproduce the othe errors, and it is unclear under what circumstances they occur.
@cwomack Additional information: A user who encountered the problem reported that sign-in worked properly in Chrome's Incognito Mode. However, the issue still persists when not using Incognito Mode.
@k1350, appreciate the follow up. After reviewing this further, I think we'll need more information from the users that are experiencing or more logs if you can produce them whenever this happens with your app.
When using SSR, "sharing cookies with another application running under the domain sub.example.com" will not work out of the box. However, the fact that this is no issue for your Firefox and Chrome Incognito users may be a sign that the users experiencing this have some type of extension or something running on the client that's impacting the CookieStorage you've implemented.
Are you able to follow up with these users further and get any network requests or console logs in their browser? We'll try to reproduce this in our side, but still not quite sure how.
Edit: This (below text and my issue) all seems to be related to localhost, so probably not really relatecd to this issue and my apologies for the noise
I can open a separate issue if necessary but I am seeing the
UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in.
_AmplifyError — AmplifyError.ts:13
_AuthError — AuthError.ts:6
(anonymous function) — dispatchSignedInHubEvent.ts:18
EVERY time if I use safari when running locally. Chrome and FF both work fine but I am unable to log in to my application with safari and get this error.
This is my setup:
Amplify.configure({
Auth: {
Cognito: {
userPoolId: xyz,
userPoolClientId: xyz,
},
},
})
cognitoUserPoolsTokenProvider.setKeyValueStorage(
// Set the cookie to expire in a few hours
new CookieStorage({ expires: 0.1, sameSite: "strict", secure: true }),
)
Disabling secure: true
for the cookie storage by leaving it undefined or setting it to false then allows me to login fine with safari. So something related to the secure cookies perhaps, seems to line up with the original issue/author?
Probably these: https://bugs.webkit.org/show_bug.cgi?id=281149 https://bugs.webkit.org/show_bug.cgi?id=232088
Hi @xconverge Safari restrictedly requires https protocol in order to set cookie attribute secure
as true
. More details see https://github.com/aws-amplify/amplify-js/issues/13182#issuecomment-2174640062
@cwomack Due to the user experiencing issues with the application in Chrome, he has decided to stop using it, which has made it difficult to obtain network requests or logs.
The user mentioned that he was unable to log in even after disabling all extensions. I received a list of his installed extensions and conducted testing. As a result, I could not replicate the issue in my environment even with all extensions enabled.
The user appeared to have an antivirus-related toolbar installed, so I installed the antivirus software he likely uses, but I still couldn’t reproduce the issue.
This seems to be a unique situation that's difficult to replicate outside of the user’s specific environment.
I will reach out if I obtain any additional information, though it’s unlikely that we’ll find much more. Thank you for your assistance with this investigation.
@k1350, sorry we couldn't help reproduce this or figure out the root cause. But if you have another user that experiences this and can find a way to get some logging around it or reproduce reliably, feel free to comment back and we can reopen the issue.
@cwomack Another user has encountered an issue that seem likely to be related to this one.
Although we still haven’t been able to reproduce it, we’ve gathered more detailed information since our previous report, so we’d like to share it.
In the previous comment, I mentioned:
In our application, we added a process that signout and redirects them to the top page when a NotAuthorizedException or UserNotFoundException occurs during the execution of fetchAuthSession yesterday. As a result, the user encountering this issue have reported that the top page reloads repeatedly.
However, we have since removed this process.
Additionally, I forgot to mention last time that we have another relevant implementation. Specifically, we have a mechanism to sign out and reload the page if a "tokenRefresh_failure" event occurs in Auth events.
Although the application appears to have signed out, a POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/
by aws-amplify/auth/cognito
's getCurrentUser
fails with a 400 error status code.
This situation then leads to the screen reloading repeatedly on its own.
After manually deleting all cookies saved in Chrome over all time periods, the application returned to a normal signed-out state.
It seems that, for some reason, cookies may not be deleting properly.
The previous user mentioned that "deleting cookies manually did not resolve the issue." However, this time, the user reported that "deleting cookies within a 4-week period didn’t work, but deleting them for the entire time period resolved the issue." It’s possible that the previous user may not have correctly deleted all cookies.
Additionally, it seems that even after repeatedly attempting the sign-out process, getCurrentUser
continued to fail.
The following errors might be occurred alongside the 400 error from https://cognito-identity.ap-northeast-1.amazonaws.com/
, as far as we could detect:
Moreover, In our application, if refreshTokens
continues to fail for some reason, it could lead to repeated page reloads.
Thank you.
@cwomack Hello. We were able to obtain the logs. Would it be possible for you to kindly reopen this issue?
Nov 13, 2024 07:37:16.250 AM UTC: User opened the application screen.
Nov 13, 2024 07:37:16.552 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.
Nov 13, 2024 07:37:16.554 AM UTC: A tokenRefresh_failure event occurred. (data.payload.data.error.name = "NotAuthorizedException", data.payload.data.error.message = "Refresh Token has expired".) User was signed out.
Nov 13, 2024 07:37:16.562 AM UTC: A tokenRefresh_failure event occurred. User was signed out.
Nov 13, 2024 07:37:16.564 AM UTC: A tokenRefresh_failure event occurred. User was signed out.
Nov 13, 2024 07:37:16.735 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.
Nov 13, 2024 07:37:16.736 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.
Nov 13, 2024 07:37:16.736 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.
Nov 13, 2024 07:37:16.847 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetId) succeeded with a 200 status code.
Nov 13, 2024 07:37:16.861 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetCredentialsForIdentity) succeeded with a 200 status code.
Nov 13, 2024 07:37:25.642 AM UTC: User attempted to log in.
Nov 13, 2024 07:37:25.713 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.
Nov 13, 2024 07:37:25.714 AM UTC: A tokenRefresh_failure event occurred. User was signed out.
Nov 13, 2024 07:37:25.936 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.
Nov 13, 2024 07:37:26.012 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (InitiateAuth) succeeded with a 200 status code.
Nov 13, 2024 07:37:26.359 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RespondToAuthChallenge) succeeded with a 200 status code.
Nov 13, 2024 07:37:26.428 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.
Nov 13, 2024 07:37:26.429 AM UTC: A tokenRefresh_failure event occurred. User was signed out.
Nov 13, 2024 07:37:26.432 AM UTC: Error "UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in" occurred.
Nov 13, 2024 07:40:08.198 AM UTC: User reloaded the application screen.
Nov 13, 2024 07:40:08.438 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.
Nov 13, 2024 07:40:08.514 AM UTC: A tokenRefresh_failure event occurred. (data.payload.data.error.name = "NotAuthorizedException", data.payload.data.error.message = "Refresh Token has expired".) User was signed out.
Nov 13, 2024 07:40:08.519 AM UTC: A tokenRefresh_failure event occurred. User was signed out.
Nov 13, 2024 07:40:08.521 AM UTC: A tokenRefresh_failure event occurred. User was signed out.
Nov 13, 2024 07:40:08.651 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.
Nov 13, 2024 07:40:08.651 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.
Nov 13, 2024 07:40:08.652 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.
Nov 13, 2024 07:40:08.703 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetId) succeeded with a 200 status code.
Nov 13, 2024 07:40:08.704 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetId) succeeded with a 200 status code.
Nov 13, 2024 07:40:08.791 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetCredentialsForIdentity) succeeded with a 200 status code.
Nov 13, 2024 07:40:08.812 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetCredentialsForIdentity) succeeded with a 200 status code.
Nov 13, 2024 07:40:14.475 AM UTC: User attempted to log in.
Nov 13, 2024 07:40:14.554 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.
Nov 13, 2024 07:40:14.555 AM UTC: A tokenRefresh_failure event occurred. User was signed out.
Nov 13, 2024 07:40:14.757 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.
Nov 13, 2024 07:40:14.799 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (InitiateAuth) succeeded with a 200 status code.
Nov 13, 2024 07:40:15.181 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RespondToAuthChallenge) succeeded with a 200 status code.
Nov 13, 2024 07:40:15.245 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.
Nov 13, 2024 07:40:15.246 AM UTC: A tokenRefresh_failure event occurred. User was signed out.
Nov 13, 2024 07:40:15.248 AM UTC: Error "UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in" occurred.
For those encountering a similar issue, here is the root cause that we identified:
The issue stems from using @aws-amplify/adapter-nextjs
to set cookies on the server-side.
When this library sets cookies, the domain
field is set with a default value, which is not documented but is mentioned in the following comment:
https://github.com/aws-amplify/amplify-js/issues/12866#issuecomment-1909220118
In our case, we explicitly specified the domain
field in the cookie configuration as follows:
'use client';
import { Amplify } from 'aws-amplify';
import { cognitoUserPoolsTokenProvider } from 'aws-amplify/auth/cognito';
import { CookieStorage } from 'aws-amplify/utils';
import { amplifyConfig } from '..';
Amplify.configure(amplifyConfig, { ssr: true });
cognitoUserPoolsTokenProvider.setKeyValueStorage(
new CookieStorage({
domain: "example.com",
secure: true,
path: '/',
sameSite: 'lax',
expires: 30,
}),
);
export function ConfigureAmplifyClientSide() {
return null;
}
However, when fetchAuthSession
is executed within Next.js's Server Actions or Route Handlers and a token refresh is triggered, a cookie with a different domain
field is set.
When the user logs out on the client side, cookies with a different domain
field are not deleted.
Eventually, these undeleted cookies expire, triggering a token refresh.
Since the cookies with mismatched domain
fields cannot be removed, token refresh continues to fail, leading to repeated attempts.
This was the reason for the login failure. When a login attempt is made, a token refresh failure event is triggered, causing valid cookies to be deleted.
Before opening, please confirm:
JavaScript Framework
Next.js
Amplify APIs
Authentication
Amplify Version
v6
Amplify Categories
auth
Backend
CDK
Environment information
Describe the bug
Most users are able to log in without any issues, but some users have reported that they are encountering the following error when attempting to log in:
UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in.
After interviewing an affected user, we found that he can log in using Firefox, but he is unable to log in with Google Chrome, no matter how many times he trys. Clearing caches and cookies did not resolve the issue.
We have investigated this thoroughly but have been unable to reproduce the error, and the cause remains unclear. We also reviewed previously raised issues but did not find any information that could help resolve the problem.
What kind of situations can trigger this error? We would like to know how to resolve it for users who are encountering this error consistently.
Thank you.
Expected behavior
The authentication process should successfully complete without any errors.
Reproduction steps
As the issue has not been reproducible, we're unable to provide specific steps that consistently trigger the error. Below are the general steps a user would follow.
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response