AWS cognito Auth, state parameter so long so it exceeds maximum limit of Get request. Can we reduce size of state parameter

[irfanbabar15]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Angular

Amplify APIs

Authentication, GraphQL API

Amplify Categories

auth

Environment information

``` # Put output below this line npx: installed 1 in 2.595s System: OS: Windows 10 10.0.19042 CPU: (8) x64 Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz Memory: 2.64 GB / 15.84 GB Binaries: Node: 14.15.4 - C:\Program Files\nodejs\node.EXE npm: 6.14.10 - C:\Program Files\nodejs\npm.CMD Browsers: Edge: Spartan (44.19041.1266.0), Chromium (96.0.1054.53) Internet Explorer: 11.0.19041.1202 npmPackages: @angular-devkit/build-angular: ~0.1100.1 => 0.1100.7 @angular-eslint/builder: 0.8.0-beta.0 => 0.8.0-beta.0 @angular-eslint/eslint-plugin: 0.8.0-beta.0 => 0.8.0-beta.0 @angular-eslint/eslint-plugin-template: 0.8.0-beta.0 => 0.8.0-beta.0 @angular-eslint/template-parser: 0.8.0-beta.0 => 0.8.0-beta.0 @angular/animations: 11.2.14 => 11.2.14 @angular/animations/browser: undefined () @angular/animations/browser/testing: undefined () @angular/cdk: ^11.0.0 => 11.2.13 @angular/cdk/a11y: undefined () @angular/cdk/accordion: undefined () @angular/cdk/bidi: undefined () @angular/cdk/clipboard: undefined () @angular/cdk/coercion: undefined () @angular/cdk/collections: undefined () @angular/cdk/drag-drop: undefined () @angular/cdk/keycodes: undefined () @angular/cdk/layout: undefined () @angular/cdk/observers: undefined () @angular/cdk/overlay: undefined () @angular/cdk/platform: undefined () @angular/cdk/portal: undefined () @angular/cdk/scrolling: undefined () @angular/cdk/stepper: undefined () @angular/cdk/table: undefined () @angular/cdk/testing: undefined () @angular/cdk/testing/protractor: undefined () @angular/cdk/testing/testbed: undefined () @angular/cdk/text-field: undefined () @angular/cdk/tree: undefined () @angular/cli: ^11.1.1 => 11.2.14 @angular/common: 11.2.14 => 11.2.14 @angular/common/http: undefined () @angular/common/http/testing: undefined () @angular/common/testing: undefined () @angular/common/upgrade: undefined () @angular/compiler: 11.2.14 => 11.2.14 (9.0.0) @angular/compiler-cli: ^11.0.0 => 11.2.14 @angular/compiler/testing: undefined () @angular/core: 11.2.14 => 11.2.14 (9.0.0) @angular/core/testing: undefined () @angular/forms: 11.2.14 => 11.2.14 @angular/language-service: ^11.0.0 => 11.2.14 @angular/localize: ^11.0.0 => 11.2.14 @angular/localize/init: undefined () @angular/platform-browser: 11.2.14 => 11.2.14 @angular/platform-browser-dynamic: 11.2.14 => 11.2.14 @angular/platform-browser-dynamic/testing: undefined () @angular/platform-browser/animations: undefined () @angular/platform-browser/testing: undefined () @angular/router: 11.2.14 => 11.2.14 @angular/router/testing: undefined () @angular/router/upgrade: undefined () @ng-bootstrap/ng-bootstrap: ^8.0.0 => 8.0.4 @ng-select/ng-select: ^5.0.8 => 5.1.0 @types/d3: ^6.1.0 => 6.7.0 (3.5.38) @types/file-saver: ^2.0.1 => 2.0.2 @types/jasmine: ^3.6.1 => 3.7.7 @types/jasminewd2: ^2.0.8 => 2.0.9 @types/node: ^14.14.7 => 14.17.3 @types/papaparse: ^5.2.4 => 5.2.5 @types/uuid: ^8.3.0 => 8.3.0 @types/xml2js: ^0.4.6 => 0.4.8 @typescript-eslint/eslint-plugin: ^4.7.0 => 4.26.1 @typescript-eslint/eslint-plugin-tslint: ^4.7.0 => 4.26.1 @typescript-eslint/parser: ^4.7.0 => 4.26.1 acorn: ^8.0.4 => 8.3.0 (6.4.2, 7.4.1) aws-amplify: ^4.2.9 => 4.2.9 aws-sdk: ^2.832.0 => 2.925.0 bootstrap: ^4.5.3 => 4.6.0 buffer: ^6.0.3 => 6.0.3 (4.9.2, 5.7.1) cache: ^2.3.1 => 2.3.1 (1.1.2) clean: ^4.0.2 => 4.0.2 codelyzer: ^6.0.1 => 6.0.2 core-js: ^3.8.0 => 3.14.0 (3.6.5, 2.6.12) css-loader: ^5.0.1 => 5.2.6 (4.3.0) d3: ^7.0.0 => 3.2.2 (7.0.0, 3.5.17) datamaps: ^0.5.9 => 0.5.9 dotenv: ^8.2.0 => 8.6.0 eslint: ^7.13.0 => 7.28.0 eslint-config-prettier: ^6.15.0 => 6.15.0 eslint-plugin-prettier: ^3.1.4 => 3.4.0 example-typescript: 1.0.0 exceljs: ^4.2.1 => 4.2.1 extract-loader: ^5.1.0 => 5.1.0 file-saver: ^2.0.5 => 2.0.5 generate-password: ^1.5.1 => 1.6.0 gremlin: ^3.4.8 => 3.5.0 html-webpack-inline-source-plugin: 0.0.10 => 0.0.10 html-webpack-plugin: ^4.5.0 => 4.5.2 jasmine-core: ~3.6.0 => 3.6.0 (2.8.0) jasmine-spec-reporter: ~6.0.0 => 6.0.0 jstat: ^1.9.5 => 1.9.5 jszip: ^3.7.0 => 3.7.0 lib: 0.0.1 mini-css-extract-plugin: ^1.3.1 => 1.6.0 (1.2.1) moment: ^2.29.1 => 2.29.1 ng-recaptcha: ^6.0.2 => 6.1.0 ng2-file-upload: ^1.4.0 => 1.4.0 ng2-search-filter: ^0.5.1 => 0.5.1 ngx-logger: ^4.1.9 => 4.2.2 ngx-logger/testing: undefined () ngx-pagination: ^5.0.0 => 5.1.1 ngx-toastr: ^14.0.0 => 14.0.0 ngx-ui-loader: ^10.0.0 => 10.0.0 ngx-virtual-scroller: ^4.0.3 => 4.0.3 node-example: 1.0.0 nodemailer: ^6.4.16 => 6.6.1 npm-force-resolutions: 0.0.3 => 0.0.3 papaparse: ^5.3.0 => 5.3.1 parse-domain: ^3.0.3 => 3.0.3 pluralize: ^8.0.0 => 8.0.0 postcss: ^8.2.10 => 8.3.1 (7.0.32, 7.0.36, 7.0.21) prettier: ^2.1.2 => 2.3.1 protractor: ^7.0.0 => 7.0.0 protractor-example: 1.0.0 rxjs: ^6.6.3 => 6.6.7 (6.6.3) rxjs-compat: ^6.6.3 => 6.6.7 rxjs/ajax: undefined () rxjs/fetch: undefined () rxjs/internal-compatibility: undefined () rxjs/operators: undefined () rxjs/testing: undefined () rxjs/webSocket: undefined () stream: 0.0.2 => 0.0.2 timers: ^0.1.1 => 0.1.1 topojson: 1.1.3 tslib: ^2.0.3 => 2.2.0 (1.14.1, 2.0.3, 2.3.1) typescript: 4.0.7 => 4.0.7 (4.0.5) typescript-example: 1.0.0 uuid: ^8.3.1 => 8.3.2 (3.4.0, 3.3.2) webpack: ^4.0.0 => 4.46.0 (4.44.2) xlsx: ^0.17.0 => 0.17.0 xml2js: ^0.4.23 => 0.4.23 (0.4.19) zone-mix: undefined () zone-node: undefined () zone-testing: undefined () zone.js: ~0.11.3 => 0.11.4 (0.10.3) zone.js/async-test: undefined () zone.js/async-test.min: undefined () zone.js/fake-async-test: undefined () zone.js/fake-async-test.min: undefined () zone.js/jasmine-patch: undefined () zone.js/jasmine-patch.min: undefined () zone.js/long-stack-trace-zone: undefined () zone.js/long-stack-trace-zone.min: undefined () zone.js/mocha-patch: undefined () zone.js/mocha-patch.min: undefined () zone.js/proxy: undefined () zone.js/proxy.min: undefined () zone.js/sync-test: undefined () zone.js/sync-test.min: undefined () zone.js/task-tracking: undefined () zone.js/task-tracking.min: undefined () zone.js/webapis-media-query: undefined () zone.js/webapis-media-query.min: undefined () zone.js/webapis-notification: undefined () zone.js/webapis-notification.min: undefined () zone.js/webapis-rtc-peer-connection: undefined () zone.js/webapis-rtc-peer-connection.min: undefined () zone.js/webapis-shadydom: undefined () zone.js/webapis-shadydom.min: undefined () zone.js/wtf: undefined () zone.js/wtf.min: undefined () zone.js/zone-bluebird: undefined () zone.js/zone-bluebird.min: undefined () zone.js/zone-error: undefined () zone.js/zone-error.min: undefined () zone.js/zone-legacy: undefined () zone.js/zone-legacy.min: undefined () zone.js/zone-patch-canvas: undefined () zone.js/zone-patch-canvas.min: undefined () zone.js/zone-patch-cordova: undefined () zone.js/zone-patch-cordova.min: undefined () zone.js/zone-patch-electron: undefined () zone.js/zone-patch-electron.min: undefined () zone.js/zone-patch-fetch: undefined () zone.js/zone-patch-fetch.min: undefined () zone.js/zone-patch-jsonp: undefined () zone.js/zone-patch-jsonp.min: undefined () zone.js/zone-patch-message-port: undefined () zone.js/zone-patch-message-port.min: undefined () zone.js/zone-patch-promise-test: undefined () zone.js/zone-patch-promise-test.min: undefined () zone.js/zone-patch-resize-observer: undefined () zone.js/zone-patch-resize-observer.min: undefined () zone.js/zone-patch-rxjs: undefined () zone.js/zone-patch-rxjs-fake-async: undefined () zone.js/zone-patch-rxjs-fake-async.min: undefined () zone.js/zone-patch-rxjs.min: undefined () zone.js/zone-patch-socket-io: undefined () zone.js/zone-patch-socket-io.min: undefined () zone.js/zone-patch-user-media: undefined () zone.js/zone-patch-user-media.min: undefined () npmGlobalPackages: @angular/cli: 12.2.1 @aws-amplify/cli: 7.4.0 express-generator: 4.16.1 shelljs: 0.8.4 ```

Describe the bug

I have configure aws cognito with azure active directory (SSO) using openId, when I login to azure portal with user (@outlook.com/@gmail.com), and then try to login into my application, it success login my user into my app. But if I logout from azure portal, and try to login into my app using SSO. it show me email address field, so I fill email address. After that instead of showing me password field, it shows me 404 error login.live not found.

First I have goto microsoft community, after discussion, they told me I m sending state parameter which is very large and it exceed the GET request limit (2048). that why I getting not found issue. I verify it and indeed we are exceeding and found that aws-amplify pass state parameter when use Auth.federatedSignIn method.

So I try to send customState, small one i.e; '123', but I still showing very large State.

Is there any way to reduce the size of state encoding ? I have been stuck for 4 days now. Need help

Expected behavior

User should login into my app without first login into azure portal manually.

Reproduction steps

Create amplify project, setup azure with openId cognito. You can follow this link, there are alot of articles you can pick any.

https://www.terminalbytes.com/azure-ad-integration-as-an-idp-with-aws-cognito/

• You need to create guest user in azure and in your app with same email. then try to login into your application

Code Snippet

// Put your code below this line.
await Auth.federatedSignIn({ provider: CognitoHostedUIIdentityProvider.Cognito, customState: '123' });

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

[AbeGellis]

Encountering the same issue as we attempt to integrate Azure AD federated sign in. Their support acknowledged that the state parameter size limitation is something they're working on fixing but they were unable to give us a timeline as to when a fix would be available.

They did suggest a workaround:

This issue is encountered generally when partners use a very large "state" param in the request. The recommendation is to:

• Instead of saving the entire state value directly in the query string, save it to a cookie.
• Then use the state query param to store a guid or identifier to indicate which state context to load from cookie when the request is returned to your service.

However, since we otherwise rely on Amplify's implementation federated sign in flow, it seems like it would be a pain to have to create our own implementation for this one sign-in option.

[chrisbonifacio]

From my searching it seems like this has been an issue separate from the Amplify libraries for some time. As @AbeGellis mentioned, this probably needs to be addressed by Azure but I will ask the team to take a look and see if there's anything we can do on our end.

[irfanbabar15]

@chrisbonifacio @AbeGellis thankyou for reply. I have created ticket in microsoft community as well, they told me that customer (in our case aws cognito) send the state parameter. So I checked Auth (aws-amplify). Found we are sending state token. So I looked into the plugin codebase, and found that we are sending state maximum of 32 characters in sign-In URL which is "https://domain/oauth2/authorize", I have printed it in console.

Now I m confuse, is it aws cognito issue or azure.

[chrisbonifacio]

I asked the team for feedback on this and it seems this might have to be addressed by the Cognito team because the state is being set by Cognito and not the Amplify JS library if you are federating in a Cognito User Pool, which it seems you are from the way you're calling Auth.federatedSignIn.

I did find this official aws blog post on setting it up which does lead up to adding to an Amplify project: https://aws.amazon.com/blogs/security/how-to-set-up-amazon-cognito-for-federated-authentication-using-azure-ad/

If the steps there don't work then we will have to open an issue with the Cognito team for a more thorough investigation.

In the meantime, I'm going to try following the blog to set up a project and see if I can reproduce this behavior.

[irfanbabar15]

@chrisbonifacio , thankyou, I also try to above steps from link, if it work or not, will let you know.

[irfanbabar15]

@chrisbonifacio I had tried that link before, same issue. I think I have notice that, this issue appear only for personal email address like @outlook.com, gmail.com etc. But if I use business email address which I have created from azure portal using domain. I dont get any issue with and without azure portal login.

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server amplify-help forum.