MFA not working when sign in with external provider

[takarabt]

Describe the bug If a user activate the MFA in his account when using the username/password singin a challenge was requested to the user:

{
    "ChallengeName": "SOFTWARE_TOKEN_MFA",
    "Session": "",
    "ChallengeParameters": {
        "USER_ID_FOR_SRP": "userName"
    }
}

But when using a linked identity (Google) to signin no challenge requested.

To Reproduce Steps to reproduce the behavior:

Could be reproduced using the Hosted UI

1. Create a Cognito user pool with MFA enabled (Optional)
2. Create a username/password account
3. Link the new created account with an external provider (In my case I used the same google email for the username/password account)
4. Sign in using the external provider (Hosted UI could be used)

Expected behavior The MFA challenge will be requested to the user.

Code Snippet

await Auth.federatedSignIn({ provider: payload.provider }, Auth.oauth).catch((error) => Promise.reject(error))

Screenshots

What is Configured?

• aws-exports file:

  export default {
  Auth: {
  mandatorySignIn: true,
  region: process.env.VUE_APP_AWS_REGION,
  userPoolId: process.env.VUE_APP_AWS_USER_POOL_ID,
  identityPoolId: process.env.VUE_APP_AWS_IDENTITY_POOL_ID,
  userPoolWebClientId: process.env.VUE_APP_AWS_APP_CLIENT_ID_ADMIN_NO_SRP_AUTH
  },
  oauth: {
  domain: process.env.VUE_APP_AWS_COGNITO_USER_POOL_DOMAIN,
  scope: ['profile', 'openid', 'email'],
  redirectSignIn: `localhost:3000`,
  redirectSignOut: `localhost:3000`,
  responseType: 'token' 
  },
  federationTarget: 'COGNITO_USER_POOLS'
  }
  

  • If applicable, please provide your manual configuration example:

    {
    Auth: {
    identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
    region: 'XX-XXXX-X',
    identityPoolRegion: 'XX-XXXX-X',
    userPoolId: 'XX-XXXX-X_abcd1234',
    userPoolWebClientId: 'a1b2c3d4e5f6g7h8i9j0k1l2m3',
    mandatorySignIn: true,
    authenticationFlowType: 'ALLOW_USER_SRP_AUTH',
    oauth: {
        domain: 'your_cognito_domain',
        scope: ['phone', 'email', 'profile', 'openid', 'aws.cognito.signin.user.admin'],
        redirectSignIn: 'http://localhost:3000/',
        redirectSignOut: 'http://localhost:3000/',
        responseType: 'code'
       }
    }
    }

  • If applicable, provide more configuration data, for example for Amazon Cognito, run aws cognito-idp describe-user-pool --user-pool-id us-west-2_xxxxxx (Be sure to remove any sensitive data)

{ "UserPool": { "Id": "eu-central-1", "Name": "dev", "Policies": { "PasswordPolicy": { "MinimumLength": 8, "RequireUppercase": true, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": false, "TemporaryPasswordValidityDays": 7 } }, "LambdaConfig": { "PreSignUp": "arn:aws:lambda:", "PostConfirmation": "arn:aws:lambda:" }, "LastModifiedDate": "", "CreationDate": "", "SchemaAttributes": [ { "Name": "sub", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": false, "Required": true, "StringAttributeConstraints": { "MinLength": "1", "MaxLength": "2048" } }, { "Name": "name", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": true, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "given_name", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "family_name", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "middle_name", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "nickname", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "preferred_username", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "profile", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "picture", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "website", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "email", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": true, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "email_verified", "AttributeDataType": "Boolean", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false }, { "Name": "gender", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "birthdate", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "10", "MaxLength": "10" } }, { "Name": "zoneinfo", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "locale", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "phone_number", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "phone_number_verified", "AttributeDataType": "Boolean", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false }, { "Name": "address", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": { "MinLength": "0", "MaxLength": "2048" } }, { "Name": "updated_at", "AttributeDataType": "Number", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "NumberAttributeConstraints": { "MinValue": "0" } }, { "Name": "identities", "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Required": false, "StringAttributeConstraints": {} } ], "AutoVerifiedAttributes": [ "email" ], "AliasAttributes": [ "email", "preferred_username" ], "SmsVerificationMessage": "Your verification code is {####}. ", "EmailVerificationMessage": "Your account verification code is:\n<h1>{####}", "EmailVerificationSubject": "Account verification code", "VerificationMessageTemplate": { "SmsMessage": "Your verification code is {####}. ", "EmailMessage": "Your account verification code is:\n<h1>{####}", "EmailSubject": "Account verification code", "DefaultEmailOption": "CONFIRM_WITH_CODE" }, "SmsAuthenticationMessage": "Your authentication code is {####}. ", "MfaConfiguration": "OPTIONAL", "EstimatedNumberOfUsers": , "EmailConfiguration": { "EmailSendingAccount": "COGNITO_DEFAULT" }, "UserPoolTags": {}, "Domain": "dev-", "AdminCreateUserConfig": { "AllowAdminCreateUserOnly": false, "UnusedAccountValidityDays": 7, "InviteMessageTemplate": { "SMSMessage": "Your username is {username} and temporary password is {####}. ", "EmailMessage": "<h3>\n<center>\n<br>\nWelcome {username},<br>\n<br>\nThank you for signing up<br> \n<br>\nYour temporary password is:\n<h1>{####}</h1>\n<br>\nThe team\n</center>\n</h3>", "EmailSubject": "Your temporary password" } }, "Arn": "", "AccountRecoverySetting": { "RecoveryMechanisms": [ { "Priority": 1, "Name": "verified_email" }, { "Priority": 2, "Name": "verified_phone_number" } ] } } }

Environment

``` System: OS: Windows 10 10.0.19041 CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz Memory: 4.79 GB / 15.84 GB Binaries: Node: 10.16.3 - C:\Program Files\nodejs\node.EXE Yarn: 1.22.4 - C:\Program Files (x86)\Yarn\bin\yarn.CMD npm: 6.9.0 - C:\Program Files\nodejs\npm.CMD Browsers: Chrome: 88.0.4324.150 Edge: Spartan (44.19041.423.0), Chromium (88.0.705.68) Internet Explorer: 11.0.19041.1 npmPackages: @chenfengyuan/vue-number-input: 1.2.1 => 1.2.1 @stripe/stripe-js: ^1.10.0 => 1.10.0 @vue/cli-plugin-babel: ^4.0.0 => 4.5.4 @vue/cli-plugin-eslint: ^4.0.0 => 4.5.4 @vue/cli-plugin-unit-jest: ^4.0.0 => 4.5.4 @vue/cli-service: ^4.0.0 => 4.5.4 @vue/eslint-config-standard: ^4.0.0 => 4.0.0 @vue/test-utils: ^1.0.0-beta.28 => 1.0.5 aws-amplify: ^2.2.0 => 2.3.0 aws-amplify-vue: ^1.1.1 => 1.1.4 axios: ^0.18.0 => 0.18.1 axios-mock-adapter: ^1.17.0 => 1.18.2 babel-core: ^7.0.0-bridge.0 => 7.0.0-bridge.0 babel-eslint: ^10.1.0 => 10.1.0 bootstrap: 4.4.1 => 4.4.1 bootstrap-vue: 2.0.0 => 2.0.0 chart.js: ^2.9.3 => 2.9.3 core-js: ^3.3.2 => 3.6.5 css-loader: ^1.0.0 => 1.0.1 currency-symbol-map: ^4.0.4 => 4.0.4 eslint: ^5.16.0 => 5.16.0 eslint-config-airbnb-base: ^14.1.0 => 14.2.0 eslint-plugin-import: ^2.20.2 => 2.22.0 eslint-plugin-vue: ^5.2.3 => 5.2.3 expose-loader: ^0.7.5 => 0.7.5 express: ^4.16.4 => 4.17.1 file-saver: ^2.0.2 => 2.0.2 filepond: ^3.3.3 => 3.9.0 filepond-plugin-file-encode: ^2.0.0 => 2.1.9 filepond-plugin-file-validate-size: ^2.0.0 => 2.2.1 filepond-plugin-file-validate-type: ^1.2.0 => 1.2.5 filepond-plugin-image-edit: ^1.0.1 => 1.6.1 filepond-plugin-image-exif-orientation: ^1.0.3 => 1.0.9 filepond-plugin-image-preview: ^3.1.4 => 3.1.6 filepond-plugin-image-validate-size: ^1.1.0 => 1.2.4 font-awesome: 4.7.0 => 4.7.0 imports-loader: ^0.8.0 => 0.8.0 json-size: ^1.0.0 => 1.0.0 json-to-pretty-yaml: ^1.2.2 => 1.2.2 jszip: ^3.5.0 => 3.5.0 jwt-decode: ^2.2.0 => 2.2.0 line-awesome: ^1.2.0 => 1.3.0 md5: ^2.3.0 => 2.3.0 moment: ^2.25.1 => 2.27.0 napa: ^3.0.0 => 3.0.0 node-sass: ^4.9.0 => 4.14.1 prerender-spa-plugin: ^3.4.0 => 3.4.0 raw-loader: ^4.0.0 => 4.0.1 s3-deploy: ^1.2.1 => 1.4.0 sass-loader: ^7.0.1 => 7.3.1 v-tooltip: ^2.0.0-rc.33 => 2.0.3 vue: ^2.6.11 => 2.6.12 vue-axios: ^2.1.4 => 2.1.5 vue-bulma-accordion: ^0.4.8 => 0.4.8 vue-chartjs: ^3.5.1 => 3.5.1 vue-clipboard2: ^0.2.1 => 0.2.1 vue-cookies: ^1.7.2 => 1.7.4 vue-cool-select: ^2.10.2 => 2.11.1 vue-cropperjs: ^4.0.1 => 4.1.0 vue-filepond: ^4.0.1 => 4.0.3 vue-good-table: ^2.16.0 => 2.21.0 vue-gtag: ^1.10.0 => 1.10.0 vue-js-toggle-button: ^1.3.0 => 1.3.3 vue-meta: ^2.4.0 => 2.4.0 vue-multipane: ^0.9.5 => 0.9.5 vue-plugin-load-script: ^1.2.0 => 1.3.2 vue-ramda: ^1.0.0 => 1.0.0 vue-recaptcha: ^1.3.0 => 1.3.0 vue-router: ^3.0.1 => 3.4.3 vue-select: ^3.10.8 => 3.10.8 vue-sidebar-menu: ^3.6.3 => 3.12.2 vue-stepper-component: ^1.0.0 => 1.0.0 vue-tabs-component: ^1.5.0 => 1.5.0 vue-tel-input: 4.4.0 => 4.4.0 vue-template-compiler: ^2.6.10 => 2.6.12 vue-touch: 2.0.0-beta.4 => 2.0.0-beta.4 vue2-filters: ^0.11.0 => 0.11.0 vue2-timeago: ^1.1.3 => 1.2.8 vuejs-auto-complete: ^0.9.0 => 0.9.0 vuejs-datepicker: ^1.5.4 => 1.6.2 vuejs-dialog: ^1.3.0 => 1.4.2 vuescroll: ^4.16.0 => 4.16.1 vuex: ^3.0.1 => 3.5.1 vuex-localstorage: ^1.0.0 => 1.0.0 vuex-router-sync: ^5.0.0 => 5.0.0 webpack-cli: ^3.1.2 => 3.3.12 webpack-raphael: ^2.1.4 => 2.1.4 yamljs: ^0.3.0 => 0.3.0 npmGlobalPackages: @aws-amplify/cli: 4.2.0 @vue/cli: 3.9.3 npm-cli-adduser: 1.1.4 rimraf: 3.0.0 serverless: 1.53.0 ts-node: 8.6.2 typescript: 3.8.3 ```

[chrisbonifacio]

Hey @takarabt, sorry for the delay. Are you still experiencing this issue? If so, could you provide us with the response from Cognito when calling Auth.federatedSignIn?

[takarabt]

Hey @chrisbonifacio,

We still have this issue, bellow the response when calling Auth.federatedSignIn using an account with MFA activated:

Let me know if you need more inputs.

[chrisbonifacio]

Hi @takarabt 👋 So, after doing a little bit of digging and trying out MFA with an external provider (also used Google), I found a couple things.

1. If you sign up through Amplify's Auth API by Email, a Cognito User Pool user will be created with their User Pool User ID as the username. If you were to sign up through OAuth with the same email, a separate user is created with a different username. Merged identities are not yet supported in User Pools. So, I would take this into consideration because you might have to handle merging the identities in your API.

2. We don't challenge users with MFA that are registered through an external provider so this behavior is intended. MFA would have to be enabled through the external provider so that the user must provide a TOTP/verification code before being redirected to your app. We are trusting the external provider to properly authenticate the user, a process which may or may not already include MFA.

Considering this is intended behavior, I'm going to close this issue but please feel free to ask questions and/or open a new issue if you experience any other auth related issues.

[takarabt]

Hi @chrisbonifacio,

Regarding point 1:

• Merging identities is supported in User Pools. We already support this in our API using the triggers (Pre sign-up/Post confirmation), basically a user could connect using his username/passwrod or the linked external provider. In the User Pool only one account is created for both signin options. We are merging the identities based in the email.

• For the username handling we are using the preferred_username below how it's displayed in our User Pool.

For point 2:

• Let's assume that a user already activated MFA for his Cognito account but not in the external provider level, this will lead to an inconsistent signin flow, we ask the user for the MFA code when using the username/password but not when using the external provider which makes the MFA feature useless in this case.

• Relying to the external provider signin flow could lead to lack of security. As example you could refer to the gitlab.com MFA feature you will see that TOTP/verification code was requested to the user in both signin options username/password or using external idp.

Regards

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.