Apple Oauth signup has stopped working

paulsjohnson91 commented 2 years ago

Before opening, please confirm:

[X] I have searched for duplicate or closed issues and discussions.
[X] I have read the guide for submitting bug reports.
[X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React Native

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

``` "@aws-amplify/analytics": "^5.0.19", "@aws-amplify/api": "^4.0.19", "@aws-amplify/auth": "^4.3.9", "@invertase/react-native-apple-authentication": "^1.1.2", "@react-native-async-storage/async-storage": "^1.15.5", "@react-native-community/datetimepicker": "^3.5.2", "@react-native-community/google-signin": "^4.0.3", "@react-native-community/masked-view": "^0.1.10", "@react-native-community/netinfo": "^5.9.1", "@react-native-community/push-notification-ios": "^1.8.0", "@react-native-community/toolbar-android": "^0.1.0-rc.2", "@react-native-firebase/analytics": "^10.8.1", "@react-native-firebase/app": "10.8.1", "@react-native-firebase/messaging": "10.8.1", "@react-navigation/bottom-tabs": "5.11.11", "@react-navigation/native": "5.9.4", "@react-navigation/stack": "5.14.5", "amazon-cognito-identity-js": "^5.2.0", "aws-amplify": "^4.3.1", "aws-amplify-react-native": "^5.0.3", "crypto-js": "3.3.0", "fuse.js": "^6.4.0", "fuzzy": "^0.1.3", "fuzzy-search": "^3.2.1", "moment": "^2.24.0", "prop-types": "^15.7.2", "react": "16.13.1", "react-native": "0.63.3", "react-native-app-intro-slider": "^4.0.4", "react-native-background-timer": "2.2.0", "react-native-calendars": "^1.1129.0", "react-native-camera": "^3.26.0", "react-native-collapsible": "^1.5.2", "react-native-config": "^1.2.0", "react-native-deep-linking": "^2.2.0", "react-native-dialog": "^5.6.0", "react-native-elements": "^2.0.0", "react-native-fast-image": "^8.1.5", "react-native-fbsdk": "^2.0.0", "react-native-floating-action": "https://github.com/ramonvermeulen/react-native-floating-action.git#fixForNativeDriverWarning", "react-native-floating-label": "^0.2.3", "react-native-gesture-handler": "^1.6.1", "react-native-inappbrowser-reborn": "^3.6.3", "react-native-iphone-x-helper": "^1.2.1", "react-native-keychain": "^6.0.0", "react-native-markdown-display": "^7.0.0-alpha.2", "react-native-modal-datetime-picker": "^10.2.0", "react-native-modest-checkbox": "^3.3.0", "react-native-popup-menu": "^0.15.7", "react-native-push-notification": "^7.4.0", "react-native-reanimated": "^1.9.0", "react-native-safe-area-context": "^3.2.0", "react-native-screens": "^2.8.0", "react-native-share": "^3.3.2", "react-native-side-drawer": "^1.2.6", "react-native-simple-toast": "^1.1.2", "react-native-size-matters": "^0.4.0", "react-native-snap-carousel": "3.9.1", "react-native-spinkit": "^1.5.0", "react-native-splash-screen": "^3.2.0", "react-native-svg": "^12.1.0", "react-native-svg-transformer": "^0.14.3", "react-native-tab-view": "^2.14.2", "react-native-vector-icons": "^6.6.0", "react-native-view-shot": "^3.1.2", "react-native-walkthrough-tooltip": "^1.1.9", "react-redux": "^7.2.0", "redux": "^4.0.5", "redux-persist": "^6.0.0", "redux-saga": "^1.1.3", "redux-thunk": "^2.3.0", "tcomb-form-native": "^0.6.20", "url-parse": "^1.4.7" ``` ### Describe the bug ``` OAuth - Error handling auth response. Error: Invalid+user+attributes%3A+given_name%3A+The+attribute+is+required%0A+ ``` When attempting to sign up a new apple user in cognito, up until the last few days, it was worked fine but now the `name` field isn't being sent and this causes an issue. ### Expected behavior User should be successfully signed up ### Reproduction steps Use federatedSignIn with provider SignInWithApple ### Code Snippet My Auth config: ```javascript Auth.configure({ // ...awsConfig, userPoolId: '', userPoolWebClientId: '', identityPoolId: '', logins: { google: ', }, region: 'eu-west-1', federatedTarget: 'COGNITO_USER_POOLS', authenticationFlowType: 'USER_PASSWORD_AUTH', oauth: { options: { urlOpener: async (url, redirectSignIn) => { await InAppBrowser.isAvailable(); console.log(url); const response = await InAppBrowser.openAuth( url, redirectSignIn ? redirectSignIn : '', { dismissButtonStyle: 'cancel', showTitle: false, enableUrlBarHiding: true, enableDefaultShare: false, }, ); if (response.type === 'cancel') { console.log(response); navigate('Auth', { screen: 'HELLO', params: {date: Date.now()}, }); } else if (response.type === 'success' && response.url) { Auth.currentAuthenticatedUser() .then(() => { navigate('USER', { screen: 'SETPREFERENCES', }); }) .catch((err) => {}); Linking.openURL(response.url); } }, }, domain: '', scope: [ 'phone', 'email', 'profile', 'openid', 'aws.cognito.signin.user.admin', ], redirectSignIn: '://login', redirectSignOut: '://', responseType: 'code', }, }); ``` Sign in: ``` await Auth.federatedSignIn({provider: 'Facebook'}); ``` When apple login was first added, first name and last name weren't available as separate attributes, so I was using this attribute mapping: ![Screenshot 2021-10-01 at 13 23 19](https://user-images.githubusercontent.com/28013436/135619113-4a1b6ae6-1520-44bb-82c9-1d06cb2155c5.png) When trying to sign in with this I now get ``` 04:04.368 OAuth - Error handling auth response. Error: Invalid+user+attributes%3A+given_name%3A+The+attribute+is+required%0A+ ``` When I looked at my pre sign up lambda trigger I can see that given_name doesn't appear: ``` "request": { "userAttributes": { "email_verified": "false", "cognito:email_alias": "", "cognito:phone_number_alias": "", "family_name": "Bearer", "email": "" }, "validationData": {} }, ``` Once it stopped working, I realised that amazon in cognito have now set up two new fields, `firstName` and `lastName` to the atttribute mapping tab for Apple so I've tried this ![Screenshot 2021-10-01 at 13 24 15](https://user-images.githubusercontent.com/28013436/135619219-2979ae99-42d0-4f16-9c7c-8bbd75c88344.png) However With this set I now get ``` [ERROR] 02:07.94 OAuth - Error handling auth response. Error: Invalid+user+attributes%3A+given_name%3A+The+attribute+is+required%0Afamily_name%3A+The+attribute+is+required%0A+ ``` When I looked at my pre sign up lambda trigger I can see that given_name and family_name doesn't appear: ``` "request": { "userAttributes": { "email_verified": "false", "cognito:email_alias": "", "cognito:phone_number_alias": "", "email": "" }, "validationData": {} }, ``` My conclusion is that neither the `name`, `firstName` or `lastName` fields are being provided to cognito now by amplify ### Log output _No response_ ### aws-exports.js _No response_ ### Manual configuration _No response_ ### Additional configuration _No response_ ### Mobile Device _No response_ ### Mobile Operating System _No response_ ### Mobile Browser _No response_ ### Mobile Browser Version _No response_ ### Additional information and screenshots _No response_

paulsjohnson91 commented 2 years ago

This means that currently no apple users are able to sign up for the app. I would settle at this point for any workaround to be able to sign up users again, via either an app update or cognito update, even if that meant that the name fields are populated with dummy information

chrisbonifacio commented 2 years ago

Hi @paulsjohnson91 👋 Thank you for raising this issue. I changed my attribute mapping for Apple to yours but I wasn't able to reproduce the exact issue you're getting (Invalid+user+attributes). I was still able to sign up. Only thing I noticed was that I wasn't getting the newly checked off given_name or family_name attributes.

The reason for that seems to be:

Unlike most OpenID Connect providers, Apple only provides scopes on the first user sign-in for a services ID, for privacy reasons

So, in order to provide new user information to my app, I had to sign into my Apple ID and remove my app from the Apps Using Apple ID section.

Afterwards I was able to get the new information signing up with a new account

That being said, I think the error you're getting is more related to the regular User Pool attribute settings. Do you have family name and given name set to Required here?

If so, considering the way Apple doesn't provide new user info on subsequent logins, the first/last name attributes won't get mapped to the user pool given/family name attributes on an existing account and might explain why you're getting that error. I would try my workaround above and remove the the app from your App ID and sign up again.

Any new users should still be able to sign up for your app.

paulsjohnson91 commented 2 years ago

Hi @chrisbonifacio thanks for the quick response. I've been doing some further research and have reached the same conclusion, the users I was testing with had previously had an account and creating a new Apple account I was successfully able to sign in. A very frustrating feature from Apple, it doesn't sound like there is any possible work around for this from amplify / cognito perspective. For anyone who discovers the same thing in the future, I've discovered that if the user goes into security and passwords on their device and deletes the login for the app, then they are able to sign up again. Not a perfect solution but it will have to do.

Thanks

github-actions[bot] commented 1 year ago

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

aws-amplify / amplify-js