Authorization Code Flow fails when using Cognito User Pool OIDC Provider

[perspectivus1]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

``` # Put output below this line System: OS: Windows 10 10.0.19043 CPU: (12) x64 Intel(R) Xeon(R) E-2176M CPU @ 2.70GHz Memory: 9.71 GB / 31.51 GB Binaries: Node: 14.17.0 - C:\Program Files\nodejs\node.EXE npm: 6.14.13 - C:\Program Files\nodejs\npm.CMD Browsers: Edge: Spartan (44.19041.1266.0), Chromium (95.0.1020.38) Internet Explorer: 11.0.19041.1202 npmPackages: @ant-design/icons: ^4.6.2 => 4.6.2 @apollo/client: ^3.4.2 => 3.4.2 @apollo/client/cache: undefined () @apollo/client/core: undefined () @apollo/client/errors: undefined () @apollo/client/link/batch: undefined () @apollo/client/link/batch-http: undefined () @apollo/client/link/context: undefined () @apollo/client/link/core: undefined () @apollo/client/link/error: undefined () @apollo/client/link/http: undefined () @apollo/client/link/persisted-queries: undefined () @apollo/client/link/retry: undefined () @apollo/client/link/schema: undefined () @apollo/client/link/utils: undefined () @apollo/client/link/ws: undefined () @apollo/client/react: undefined () @apollo/client/react/components: undefined () @apollo/client/react/context: undefined () @apollo/client/react/data: undefined () @apollo/client/react/hoc: undefined () @apollo/client/react/hooks: undefined () @apollo/client/react/parser: undefined () @apollo/client/react/ssr: undefined () @apollo/client/testing: undefined () @apollo/client/utilities: undefined () @aws-amplify/ui-react: ^1.2.4 => 1.2.6 @fontsource/roboto: ^4.4.5 => 4.4.5 @material-ui/core: ^4.11.4 => 4.11.4 @material-ui/data-grid: ^4.0.0-alpha.33 => 4.0.0-alpha.33 @material-ui/icons: ^4.11.2 => 4.11.2 @material-ui/lab: ^4.0.0-alpha.58 => 4.0.0-alpha.60 @testing-library/jest-dom: ^5.11.4 => 5.14.1 @testing-library/react: ^11.1.0 => 11.2.7 @testing-library/user-event: ^12.1.10 => 12.8.3 @types/antd: ^1.0.0 => 1.0.0 @types/jest: ^26.0.15 => 26.0.23 @types/js-yaml: ^4.0.1 => 4.0.1 @types/lodash: ^4.14.170 => 4.14.171 @types/node: ^12.0.0 => 12.20.15 @types/react: ^17.0.11 => 17.0.11 @types/react-dom: ^17.0.0 => 17.0.8 @types/react-router-dom: ^5.1.8 => 5.1.8 @types/react-simple-maps: ^1.0.6 => 1.0.6 @types/styled-components: ^5.1.9 => 5.1.10 antd: ^4.16.6 => 4.16.8 aws-amplify: ^4.1.2 => 4.2.0 axios: ^0.21.1 => 0.21.1 axios-mock-adapter: ^1.19.0 => 1.19.0 generate-react-cli: ^7.0.0 => 7.0.3 graphql: ^15.5.1 => 15.5.1 (14.0.0) js-yaml: ^4.1.0 => 4.1.0 (3.14.1) lodash: ^4.17.21 => 4.17.21 react: ^17.0.2 => 17.0.2 react-dom: ^17.0.2 => 17.0.2 react-dropzone: ^11.3.2 => 11.3.4 react-router-dom: ^5.2.0 => 5.2.0 react-scripts: 4.0.3 => 4.0.3 react-simple-maps: ^2.0.0 => 2.3.0 sass: ^1.34.1 => 1.35.1 styled-components: ^5.3.0 => 5.3.0 styled-components/macro: undefined () styled-components/native: undefined () styled-components/primitives: undefined () typescript: ^4.1.2 => 4.3.4 web-vitals: ^1.0.1 => 1.1.2 npmGlobalPackages: @aws-amplify/cli: 5.3.0 http-server: 0.12.3 npm: 6.14.13 ```

Describe the bug

I use Auth.federatedSignIn({ customProvider: '<my-oidc-idp>' }); to initiate an OAuth authorization code flow.

The initial outbound request to Cognito succeeds, but when the user gets redirected back to my app with a valid authorization code, Amplify fails on this error:

Invalid state in OAuth flow

This happens because Amplify genarates a state URL parameter, but then Cognito generates its own state URL parameter and passes that along to the target IDP (OIDC in my case).

Expected behavior

The state validation should have succeeded and the flow should have continued to try and obtain my access token.

Is this a Cognito issue? Why does it generate a new state?

Can state validation be turned off in Amplify?

Reproduction steps

1. Setup a Cognito User Pool with App Client and IdP (OIDC)
2. Run the code snippet below.

Code Snippet

// Put your code below this line.
import Amplify, { Auth } from 'aws-amplify';

Amplify.configure({
    Auth: {
    region: config.cognito.region,
    userPoolId: config.cognito.userPoolId,
    userPoolWebClientId: config.cognito.userPoolClientId,
    oauth: {
        domain: '<my-cognito-app-domain-prefix>.auth.eu-central-1.amazoncognito.com',
        scope: ["openid", "aws.cognito.signin.user.admin", "profile"],
        redirectSignIn: 'http://localhost:3000/',
        redirectSignOut: 'http://localhost:3000/logout',
        responseType: "code",
    }
}});

Auth.federatedSignIn({ customProvider: '<my-cognito-named-oidc-idp>' });

Log output

Network calls: ``` https://.auth.eu-central-1.amazoncognito.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=&identity_provider=githubtools&scope=openid%20aws.cognito.signin.user.admin%20profile&state=&code_challenge=&code_challenge_method=S256 https://.execute-api.eu-central-1.amazonaws.com/prod/authorize?client_id=&redirect_uri=https%3A%2F%.auth.eu-central-1.amazoncognito.com%2Foauth2%2Fidpresponse&scope=openid+read%3Auser+user%3Aemail&response_type=code&state= http://localhost:3000/?code=&state= ``` Call stack (webpacked -- sorry): ``` // Put your logs below this line [ERROR] 35:06.969 OAuth - Error handling auth response. Error: Invalid state in OAuth flow at OAuth._validateState (vendors~main.chunk.js:88301) at OAuth. (vendors~main.chunk.js:88243) at step (vendors~main.chunk.js:87957) at Object.next (vendors~main.chunk.js:87888) at vendors~main.chunk.js:87860 at new Promise () at push../node_modules/@aws-amplify/auth/lib-esm/OAuth/OAuth.js.__awaiter (vendors~main.chunk.js:87839) at OAuth.handleAuthResponse (vendors~main.chunk.js:88212) at AuthClass. (vendors~main.chunk.js:87307) ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[chrisbonifacio]

Hi @perspectivus1 👋 I don't think anything's changed for the authorization code flow with an OIDC provider. This issue could be caused by several things. This issue thread might be helpful: https://github.com/aws-amplify/amplify-js/issues/3055.

Does your app client have the client secret box checked? I believe this is enabled by default but it should be disabled/unchecked.

[chrisbonifacio]

Hi 👋 Closing this as we have not heard back from you. If you are still experiencing this issue and in need of assistance, please feel free to comment and provide us with any information previously requested by our team members so we can re-open this issue and be better able to assist you. Thank you!

[SubashManian]

Hi @chrisbonifacio i'm following this documents to setup SSO https://docs.amplify.aws/lib/auth/social/q/platform/js/#setup-your-auth-provider

i'm aslo getting success and Token in this code

`async function urlOpener(url, redirectUrl) { await InAppBrowser.isAvailable(); const { type, url: newUrl } = await InAppBrowser.openAuth(url, redirectUrl, { showTitle: false, enableUrlBarHiding: true, enableDefaultShare: false, ephemeralWebSession: false, });

if (type === 'success') { Linking.openURL(newUrl); } }`

But in the Hub listener getting like signin_failure and Error Message as OAuth - Error handling auth response. Error: Invalid state in OAuth flow

Hub.listen("auth", ({ payload: { event, data } }) => { switch (event) { case "signIn": this.setState({ user: data }); break; case "signOut": this.setState({ user: null }); break; case "customOAuthState": this.setState({ customState: data }); } });

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.