Closed takarabt closed 3 years ago
Hey @takarabt, sorry for the delay. Are you still experiencing this issue? If so, could you provide us with the response from Cognito when calling Auth.federatedSignIn
?
Hey @chrisbonifacio,
We still have this issue, bellow the response when calling Auth.federatedSignIn using an account with MFA activated:
Let me know if you need more inputs.
Hi @takarabt 👋 So, after doing a little bit of digging and trying out MFA with an external provider (also used Google), I found a couple things.
Considering this is intended behavior, I'm going to close this issue but please feel free to ask questions and/or open a new issue if you experience any other auth related issues.
Hi @chrisbonifacio,
Regarding point 1:
Merging identities is supported in User Pools. We already support this in our API using the triggers (Pre sign-up/Post confirmation), basically a user could connect using his username/passwrod or the linked external provider. In the User Pool only one account is created for both signin options. We are merging the identities based in the email.
For the username handling we are using the preferred_username below how it's displayed in our User Pool.
For point 2:
Let's assume that a user already activated MFA for his Cognito account but not in the external provider level, this will lead to an inconsistent signin flow, we ask the user for the MFA code when using the username/password but not when using the external provider which makes the MFA feature useless in this case.
Relying to the external provider signin flow could lead to lack of security. As example you could refer to the gitlab.com MFA feature you will see that TOTP/verification code was requested to the user in both signin options username/password or using external idp.
Regards
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.
Looking for a help forum? We recommend joining the Amplify Community Discord server *-help
channels or Discussions for those types of questions.
Describe the bug If a user activate the MFA in his account when using the username/password singin a challenge was requested to the user:
But when using a linked identity (Google) to signin no challenge requested.
To Reproduce Steps to reproduce the behavior:
Could be reproduced using the Hosted UI
Expected behavior The MFA challenge will be requested to the user.
Code Snippet
await Auth.federatedSignIn({ provider: payload.provider }, Auth.oauth).catch((error) => Promise.reject(error))
Screenshots
What is Configured?
aws-exports
file:aws cognito-idp describe-user-pool --user-pool-id us-west-2_xxxxxx
(Be sure to remove any sensitive data){ "UserPool": { "Id": "eu-central-1", "Name": "dev", "Policies": { "PasswordPolicy": { "MinimumLength": 8, "RequireUppercase": true, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": false, "TemporaryPasswordValidityDays": 7 } }, "LambdaConfig": { "PreSignUp": "arn:aws:lambda:", "PostConfirmation": "arn:aws:lambda:" }, "LastModifiedDate": "", "CreationDate": "", "SchemaAttributes": [ { "Name": "sub", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": false, "Required": true, "StringAttributeConstraints": { "MinLength": "1", "MaxLength": "2048" } }, { "Name": "name", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": true, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "given_name", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "family_name", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "middle_name", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "nickname", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "preferred_username", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "profile", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "picture", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "website", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "email", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": true, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "email_verified", "AttributeDataType": "Boolean", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false }, { "Name": "gender", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "birthdate", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "10", "MaxLength": "10" } }, { "Name": "zoneinfo", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "locale", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "phone_number", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "phone_number_verified", "AttributeDataType": "Boolean", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false }, { "Name": "address", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "updated_at", "AttributeDataType": "Number", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "NumberAttributeConstraints": { "MinValue": "0" } }, { "Name": "identities", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": {} } ], "AutoVerifiedAttributes": [ "email" ], "AliasAttributes": [ "email", "preferred_username" ], "SmsVerificationMessage": "Your verification code is {####}. ", "EmailVerificationMessage": "Your account verification code is:\n<h1>{####}", "EmailVerificationSubject": "Account verification code", "VerificationMessageTemplate": { "SmsMessage": "Your verification code is {####}. ", "EmailMessage": "Your account verification code is:\n<h1>{####}", "EmailSubject": "Account verification code", "DefaultEmailOption": "CONFIRM_WITH_CODE" }, "SmsAuthenticationMessage": "Your authentication code is {####}. ", "MfaConfiguration": "OPTIONAL", "EstimatedNumberOfUsers": , "EmailConfiguration": { "EmailSendingAccount": "COGNITO_DEFAULT" }, "UserPoolTags": {}, "Domain": "dev-", "AdminCreateUserConfig": { "AllowAdminCreateUserOnly": false, "UnusedAccountValidityDays": 7, "InviteMessageTemplate": { "SMSMessage": "Your username is {username} and temporary password is {####}. ", "EmailMessage": "<h3>\n<center>\n<br>\nWelcome {username},<br>\n<br>\nThank you for signing up<br> \n<br>\nYour temporary password is:\n<h1>{####}</h1>\n<br>\nThe team\n</center>\n</h3>", "EmailSubject": "Your temporary password" } }, "Arn": "", "AccountRecoverySetting": { "RecoveryMechanisms": [ { "Priority": 1, "Name": "verified_email" }, { "Priority": 2, "Name": "verified_phone_number" } ] } } }
Environment
``` System: OS: Windows 10 10.0.19041 CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz Memory: 4.79 GB / 15.84 GB Binaries: Node: 10.16.3 - C:\Program Files\nodejs\node.EXE Yarn: 1.22.4 - C:\Program Files (x86)\Yarn\bin\yarn.CMD npm: 6.9.0 - C:\Program Files\nodejs\npm.CMD Browsers: Chrome: 88.0.4324.150 Edge: Spartan (44.19041.423.0), Chromium (88.0.705.68) Internet Explorer: 11.0.19041.1 npmPackages: @chenfengyuan/vue-number-input: 1.2.1 => 1.2.1 @stripe/stripe-js: ^1.10.0 => 1.10.0 @vue/cli-plugin-babel: ^4.0.0 => 4.5.4 @vue/cli-plugin-eslint: ^4.0.0 => 4.5.4 @vue/cli-plugin-unit-jest: ^4.0.0 => 4.5.4 @vue/cli-service: ^4.0.0 => 4.5.4 @vue/eslint-config-standard: ^4.0.0 => 4.0.0 @vue/test-utils: ^1.0.0-beta.28 => 1.0.5 aws-amplify: ^2.2.0 => 2.3.0 aws-amplify-vue: ^1.1.1 => 1.1.4 axios: ^0.18.0 => 0.18.1 axios-mock-adapter: ^1.17.0 => 1.18.2 babel-core: ^7.0.0-bridge.0 => 7.0.0-bridge.0 babel-eslint: ^10.1.0 => 10.1.0 bootstrap: 4.4.1 => 4.4.1 bootstrap-vue: 2.0.0 => 2.0.0 chart.js: ^2.9.3 => 2.9.3 core-js: ^3.3.2 => 3.6.5 css-loader: ^1.0.0 => 1.0.1 currency-symbol-map: ^4.0.4 => 4.0.4 eslint: ^5.16.0 => 5.16.0 eslint-config-airbnb-base: ^14.1.0 => 14.2.0 eslint-plugin-import: ^2.20.2 => 2.22.0 eslint-plugin-vue: ^5.2.3 => 5.2.3 expose-loader: ^0.7.5 => 0.7.5 express: ^4.16.4 => 4.17.1 file-saver: ^2.0.2 => 2.0.2 filepond: ^3.3.3 => 3.9.0 filepond-plugin-file-encode: ^2.0.0 => 2.1.9 filepond-plugin-file-validate-size: ^2.0.0 => 2.2.1 filepond-plugin-file-validate-type: ^1.2.0 => 1.2.5 filepond-plugin-image-edit: ^1.0.1 => 1.6.1 filepond-plugin-image-exif-orientation: ^1.0.3 => 1.0.9 filepond-plugin-image-preview: ^3.1.4 => 3.1.6 filepond-plugin-image-validate-size: ^1.1.0 => 1.2.4 font-awesome: 4.7.0 => 4.7.0 imports-loader: ^0.8.0 => 0.8.0 json-size: ^1.0.0 => 1.0.0 json-to-pretty-yaml: ^1.2.2 => 1.2.2 jszip: ^3.5.0 => 3.5.0 jwt-decode: ^2.2.0 => 2.2.0 line-awesome: ^1.2.0 => 1.3.0 md5: ^2.3.0 => 2.3.0 moment: ^2.25.1 => 2.27.0 napa: ^3.0.0 => 3.0.0 node-sass: ^4.9.0 => 4.14.1 prerender-spa-plugin: ^3.4.0 => 3.4.0 raw-loader: ^4.0.0 => 4.0.1 s3-deploy: ^1.2.1 => 1.4.0 sass-loader: ^7.0.1 => 7.3.1 v-tooltip: ^2.0.0-rc.33 => 2.0.3 vue: ^2.6.11 => 2.6.12 vue-axios: ^2.1.4 => 2.1.5 vue-bulma-accordion: ^0.4.8 => 0.4.8 vue-chartjs: ^3.5.1 => 3.5.1 vue-clipboard2: ^0.2.1 => 0.2.1 vue-cookies: ^1.7.2 => 1.7.4 vue-cool-select: ^2.10.2 => 2.11.1 vue-cropperjs: ^4.0.1 => 4.1.0 vue-filepond: ^4.0.1 => 4.0.3 vue-good-table: ^2.16.0 => 2.21.0 vue-gtag: ^1.10.0 => 1.10.0 vue-js-toggle-button: ^1.3.0 => 1.3.3 vue-meta: ^2.4.0 => 2.4.0 vue-multipane: ^0.9.5 => 0.9.5 vue-plugin-load-script: ^1.2.0 => 1.3.2 vue-ramda: ^1.0.0 => 1.0.0 vue-recaptcha: ^1.3.0 => 1.3.0 vue-router: ^3.0.1 => 3.4.3 vue-select: ^3.10.8 => 3.10.8 vue-sidebar-menu: ^3.6.3 => 3.12.2 vue-stepper-component: ^1.0.0 => 1.0.0 vue-tabs-component: ^1.5.0 => 1.5.0 vue-tel-input: 4.4.0 => 4.4.0 vue-template-compiler: ^2.6.10 => 2.6.12 vue-touch: 2.0.0-beta.4 => 2.0.0-beta.4 vue2-filters: ^0.11.0 => 0.11.0 vue2-timeago: ^1.1.3 => 1.2.8 vuejs-auto-complete: ^0.9.0 => 0.9.0 vuejs-datepicker: ^1.5.4 => 1.6.2 vuejs-dialog: ^1.3.0 => 1.4.2 vuescroll: ^4.16.0 => 4.16.1 vuex: ^3.0.1 => 3.5.1 vuex-localstorage: ^1.0.0 => 1.0.0 vuex-router-sync: ^5.0.0 => 5.0.0 webpack-cli: ^3.1.2 => 3.3.12 webpack-raphael: ^2.1.4 => 2.1.4 yamljs: ^0.3.0 => 0.3.0 npmGlobalPackages: @aws-amplify/cli: 4.2.0 @vue/cli: 3.9.3 npm-cli-adduser: 1.1.4 rimraf: 3.0.0 serverless: 1.53.0 ts-node: 8.6.2 typescript: 3.8.3 ```