Closed rb090 closed 1 year ago
Thanks for opening this issue @rb090. We're looking into it and will respond back to you here with any questions or updates.
Hi @rb090,
@harsh62 has published a PR #2590 for fixing this issue.
Could you please verify the issue is no long exist with branch fix/2588-duplicate-device-key
?
Hi @5d,
thank you so much for getting back here so quickly regarding this issue. I tried to integrate this version via SPM to test if I can reproduce it, but now I run into during build the project with XCode:
Missing required modules: 'AwsCAuth', 'AwsCCal', 'AwsCCommon', 'AwsCHttp', 'AwsCIo', 'AwsCMqtt', 'AwsCSdkUtils'
The Amplify dependencies in the Package.resolved
of my project look like this:
{
"pins": [
....
{
"identity": "amplify-swift",
"kind": "remoteSourceControl",
"location": "https://github.com/aws-amplify/amplify-swift",
"state": {
"branch": "fix/2588-duplicate-device-key",
"revision": "0b5071c36a510b1dc60fa2f8b13d6078d38fd5ad"
}
},
{
"identity": "aws-crt-swift",
"kind": "remoteSourceControl",
"location": "https://github.com/awslabs/aws-crt-swift.git",
"state": {
"revision": "1846c60b9d50034f684384d8eef5e5aef7c40d6b",
"version": "0.3.1"
}
},
{
"identity": "aws-sdk-swift",
"kind": "remoteSourceControl",
"location": "https://github.com/awslabs/aws-sdk-swift.git",
"state": {
"revision": "3a2b88928888b90feeec203137642fee7f1329e2",
"version": "0.5.0"
}
},
{
"identity": "smithy-swift",
"kind": "remoteSourceControl",
"location": "https://github.com/awslabs/smithy-swift.git",
"state": {
"revision": "e4285fe2b80bcc4eabe67f82b1c84344ec86124d",
"version": "0.5.0"
}
}
....
]
}
Can you please tell me why I run into this build error and what I need to change in this Package.resolved
file?
@rb090 , your error looks like this issue https://github.com/awslabs/aws-sdk-swift/issues/560. Are you testing with Swift Playgrounds? Have you tried reset package cache?
Okay, cleaning up the caches (rm -rf ~/Library/Developer/Xcode/DerivedData
and rm -rf ~/Library/Caches/org.swift.swiftpm/
) as well as a reboot of my computer helped here. And no - I am not testing with Swift Playgrounds.
Running with this new library seems not to fix the issue of the missing device key. Looking at the logs, it still looks the same.
Path:
/
Headers:
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth,
x-amz-user-agent: aws-sdk-swift/1.0,
User-Agent: aws-sdk-swift/1.0 api/cognito-identity-provider/1.0 os/iOS/16.1.1 lang/swift/5.7 lib/amplify-ios/2.1.0,
Content-Length: 6631,
Content-Type: application/x-amz-json-1.1
Host: cognito-idp.eu-central-1.amazonaws.com
Body:
{"UserContextData":{"EncodedData":"xx"},"ClientMetadata":{},"AuthParameters":{"SRP_A":"xx","USERNAME":"+49xx"},"AuthFlow":"USER_SRP_AUTH",**"ClientId":"xxx"**}
And I got the response:
Headers:
Date: Mon, 28 Nov 2022 21:16:11 GMT,
x-amzn-RequestId: 89a4e8a3-ed88-400e-856b-1ec4c1df2b79,
Content-Type: application/x-amz-json-1.1,
Connection: keep-alive,
Content-Length: 2731
Body:
{"ChallengeName":"PASSWORD_VERIFIER","ChallengeParameters":{"SALT":"xxx","SECRET_BLOCK":"z7Cxxx","SRP_B":"xxx","USERNAME":"e48xx","USER_ID_FOR_SRP":"e48xxx"}}
status code: http_status_200
Unfortunately when answering 1st I somehow mixed it up with the ClientId
property that is why I deleted my previous answer and rewrite.
Hi @5d, can you please tell me, are there any updates on this? Regarding the changes communicated here https://github.com/aws-amplify/amplify-swift/issues/2588#issuecomment-1325842074, unfortunately they do not fix anything, the behavior is exact the same like before.
I tried to replicate your issue with the latest version of amplify swift 2.2.0. I was able to login in multiple times with the same user on the same device and was able to see only one entry in the device table.
Here is request body when I try to print out input.body from func handle
inside SdkHttpClient.swift
file.
{
"UserContextData":{"EncodedData":"eyJwYXlsb2**"},
"ClientMetadata":{},
"AuthParameters":{"SRP_A":"4D82FC**","DEVICE_KEY":"us-east-1_319***","USERNAME":"royj**@***.com"},
"AuthFlow":"USER_SRP_AUTH",
"ClientId":"***"
}
Can you please try again with the latest version of the library and see if the issue exists? If yes, please provide us with the following details:
Amplify.Logging.logLevel = .verbose
after you configure Amplify.Thank you for your answer @royjit. I upgraded Amplify (repository url used for SPM https://github.com/aws-amplify/amplify-ios) to 2.2.0.
My configure function looks like this:
func configure() {
do {
try Amplify.add(plugin: AWSCognitoAuthPlugin())
try Amplify.configure()
Amplify.Logging.logLevel = .verbose
log.debug("Amplify configured with auth plugin")
} catch {
log.error("Failed to initialize Amplify with \(error)")
}
}
I call it in AppDelegate#didFinishLaunchingWithOptions
.
I created a fresh user and I did a login multiple times. The result is still that there are multiple devices in the console:
I use one device, it is a iPhone 13 Pro, iOS version 16.1.2.
I do not use a simulator. I do not erase any keychain data. I do not reset my device or any settings in between the logins. I do not reinstall the app in between the logins.
When adding logs to the handle
in SdkHttpClient.swift
the logs of the request look like this:
DEBUGLOG REQUEST
Path:
/
Headers:
User-Agent: aws-sdk-swift/1.0 api/cognito-identity-provider/1.0 os/iOS/16.1.2 lang/swift/5.7 lib/amplify-ios/2.2.0,
Host: cognito-idp.eu-central-1.amazonaws.com,
Content-Length: 6628,
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth,
Content-Type: application/x-amz-json-1.1,
x-amz-user-agent: aws-sdk-swift/1.0
Body:
{"UserContextData":{"EncodedData":"xxx","USERNAME":"+49xxx"},"AuthFlow":"USER_SRP_AUTH","ClientId":"xx"}
DEBUGLOG RESPONSE
Headers:
Content-Length: 2731,
Connection: keep-alive,
x-amzn-RequestId: fac658d5-52eb-46b9-a7f0-360429e017a3,
Date: Fri, 16 Dec 2022 12:43:10 GMT,
Content-Type: application/x-amz-json-1.1
Body:
{"ChallengeName":"PASSWORD_VERIFIER","ChallengeParameters":{"SALT":"xxx","SECRET_BLOCK":"xxx","SRP_B":"xxx","USERNAME":"12xx","USER_ID_FOR_SRP":"122xx"}}
status code: http_status_200
As you can see from the logs above, no DEVICE_KEY
in the request 😞. Therefore device binding still not working, even after upgrading the SDK to the suggested version.
Will you be able to provide us with more verbose logging generated by Amplify?. Especially the logs related to auth statemachine changes might help us to debug the issue further.
Thank you @royjit for your answer. Here are the logs with the log level verbose. Here are the logs from the login flow:
👆 you can see the logs without my prints in the handle
in SdkHttpClient.swift
.
The logs with the prints in the handle
in SdkHttpClient.swift
look like this:
I hope that they contain the logs related to the auth statemachine you are looking for.
Could it be a configuration issue on our side which leads to device binding not working and sdk not behaving like we expect it to do?
Hi 👋, how to continue on this? Can you please help me here? @royjit @5d @harsh62
Thank you for being patient here, we were able to narrow down the issue, the device key is different because the username used to map the device key is different in the Amplify library. This happened because Cognito returns a different username field when using alias for signing in and Amplify v2 was still using the username used to signIn for mapping. I am working a fix here - https://github.com/aws-amplify/amplify-swift/tree/royjit.deviceBinding
Feel free to try out the branch royjit.deviceBinding
to see if it fixes your issue.
Thank you for getting back to me @royjit and for the explanations. I am very thankful that you are working on a fix for this issue.
ATM I am only able to test the application on a simulator because of some weird circumstances with my apple developer account.
When I run the app on the simulator, enter my login -> I am logged in ✅. Device appears in the Cognito console:
The name of the device is recognised correctly, I ran on an iPhone 13 simulator -> ✅.
When I logout (Amplify.Auth.signOut()
) and login again during app lifetime, all good. In the console there is no new device shown -> ✅.
When I quit the app from the iPhone task manager and start it again, also all is fine -> ✅.
This are the logs from the SDK logger on a login (Amplify.Logging.logLevel = .verbose
when configuring Amplify sdk):
This are the logs on a login with my prints in the handle
method in SdkHttpClient.swift
:
After all my logins/logouts/app restarts with and without Xcode this is how the device protocol in Cognito console is looking like:
And also another test, when I run the app on another simulator iPhone 14, Cognito recognises correctly that there is a new device and a new login on another device:
I will also test all this things with MFA enabled and write a 2nd comment on how things will go there 🙂. Again thank you so much for the support @royjit.
Okay I also tested with MFA enabled. Also there it seems that everything is working like expected -> ✅:
I ran the app on my simulator iPhone 13 mini with login/logout, restart the application, with and without Xcode.
Also run the app on another simulator (iPhone 14 Pro) and login there with the same account and MFA enabled looks good. Device is recognised in Cognito console as new one -> ✅:
I also uninstalled the application from the simulator and installed again over Xcode. I did not reset the siumulator. In this case, it seems that device binding was removed. I was asked again for the MFA (because I tested this case with MFA enabled for my user pool).
In the Cognito console, there in the device protocol a new device appeared:
When I restart the app after this over Xcode on the same simulator - I ran over and over again in MFA and device binding stops working -> ❌:
Here are my logs on this with prints in the handle
method in SdkHttpClient.swift
:
The weird thing: When I quit the app on my simulator over the normal task manager and restart it again, device binding works again. On login, I am not asked anymore for MFA and there is also no new device in the device protocol in the Cognito console.
So the last "issue" I found could be maybe because of the code, responsible to save/cache some device related data on the device? Are there any things happen when the app is moved to the background? So it depends that the app is moved somehow properly to the background? This is sth. which f.e. does not happen when an app is restarted over Xcode. But also no "enter background" happens on an app crash - which can unfortunately happen to apps in production using the Amplify SDK.
@royjit @5d @harsh62 I implemented user auth also on my Android app with the Cognito SDK. The Android SDK has the same bug like the iOS SDK. Device binding does not work there as well.
On Android, I use this Cognito dependencies:
implementation 'com.amplifyframework:core-kotlin:2.0.0'
implementation "com.amplifyframework:aws-auth-cognito:2.0.0"
Can you please also fix the Android SDK after finishing the fix for iOS?
Thank you @rb090 for the detailed testing, I will try this at my end and update you with my status. For Android could you please report this on Android's issue queue so that the team has enough information to debug (Bug Report).
Reminder to remove any sensitive information from logs before you post in public platform like GitHub.
@rb090 I was able to fix the issue you mentioned with MFA and reinstall, the deviceMetaData was not send during MFA verification. Could you please pull down the latest changes and verify if that fixes your issue? Branch: royjit.deviceBinding
@royjit - thank you for getting back to that and for the newest changes. The issue with MFA and reinstall is still there. And btw. the reinstall issue is also there when there is no MFA enabled 😢.
Here are my logs on this with prints in the handle
method in SdkHttpClient.swift
(also Amplify.Logging.logLevel = .verbose
):
This is how the device protocol is looking like in the Cognito console:
I have this was dependencies in my Package.resolved
(So I hope that I am using the correct revision
of the dependencies):
{
"pins" : [
....
{
"identity" : "amplify-ios",
"kind" : "remoteSourceControl",
"location" : "https://github.com/aws-amplify/amplify-ios",
"state" : {
"branch" : "royjit.deviceBinding",
"revision" : "4e18a8f2cbb51be0284ce9c947698512851dee8b"
}
},
{
"identity" : "aws-appsync-realtime-client-ios",
"kind" : "remoteSourceControl",
"location" : "https://github.com/aws-amplify/aws-appsync-realtime-client-ios.git",
"state" : {
"revision" : "da88cf1cab82e281e7277cd9feb9efc87a057041",
"version" : "2.1.1"
}
},
{
"identity" : "aws-crt-swift",
"kind" : "remoteSourceControl",
"location" : "https://github.com/awslabs/aws-crt-swift",
"state" : {
"revision" : "afe23a2a2f6cf78e6d8803d7c9e0c8e6f50b6915",
"version" : "0.4.0"
}
},
{
"identity" : "aws-sdk-swift",
"kind" : "remoteSourceControl",
"location" : "https://github.com/awslabs/aws-sdk-swift.git",
"state" : {
"revision" : "c54c028cfc3ee70fde8c077547a1a1f6ef1137d9",
"version" : "0.6.0"
}
},
...
]
}
I just want to clarify that when you reinstall, Amplify will remove device tracking and start fresh. The latest fix is to remove showing MFA again and again after reinstall. Here is the expected behavior:
Are you seeing this behavior?
Unfortunately no. After doing step 8 there is a new entry in the the Cognito console. I did that a few times that is why you can see in the screenshot in https://github.com/aws-amplify/amplify-swift/issues/2588#issuecomment-1381682616 4x times "iPhone 13" entry. I also attached the logs there.
That there is a new entry in the Cognito console on an app reinstall (when uninstalled before), that is also quite expected behaviour to me.
But that there is on every login (without app reinstall) a new device after once app reinstall happens few time ago, this seems to be somehow not the intended behaviour.
I am testing this again today, will update with more information soon.
Unfortunately I am still not able to see the behavior you are seeing. I tried the steps with MFA enabled and with MFA disabled. In both cases, I only see the same device when I signIn multiple times. New device is added only when I uninstall and reinstall the app.
I am wondering whether you have the latest version of my changes, maybe worth cleaning the SPM info and re-adding the branch to make sure?
Could you please enable verbose logging Amplify.Logging.logLevel = .verbose
(after you call Amplify configure) and provide the logs between step 4 to 9? Please redact any sensitive information before sending us the logs. For some reason I am not able to see authstate machine related details in your logs, I was hoping to see logs like:
2023-01-17 18:28:48.821572-0800 AmplifyAuthSample[48370:9641865] [AWSCognitoAuthPlugin] AWSCognitoAuthPlugin/VerifyPasswordSRP.swift Starting execution
2023-01-17 18:28:48.821590-0800 AmplifyAuthSample[48370:9642096] [AWSCognitoAuthPlugin] Auth state change:
{
"AuthState.configured" = {
"AuthenticationState.signingIn" = {
"SignInState.signingInWithSRP" = {
"SRPSignInState.respondingPasswordVerifier" = {
NHexValue = xxx;
clientTimestamp = "2023-01-18 02:28:48 +0000";
gHexValue = 2;
password = "<REDACTED>";
srpKeyPair = "<privateKey xx>, <publicKey xx>";
username = "ro******************om";
};
clientMetadata = {
};
password = "<REDACTED>";
signInMethod = "AWSCognitoAuthPlugin.SignInMethod.apiBased(AWSCognitoAuthPlugin.AuthFlowType.userSRP)";
username = "ro******************om";
};
};
"AuthorizationState.signingIn" = {
};
};
}
2023-01-17 18:28:48.828244-0800 AmplifyAuthSample[48370:9641865] [AWSCognitoAuthPlugin] AWSCognitoAuthPlugin/LoadCredentialStore.swift Starting execution
2023-01-17 18:28:48.828255-0800 AmplifyAuthSample[48370:9642096] [AWSCognitoAuthPlugin] Credential Store state change:
loadingStoredCredentials
2023-01-17 18:28:48.828371-0800 AmplifyAuthSample[48370:9641865] [AWSCognitoAuthPlugin] AWSCognitoAuthPlugin/LoadCredentialStore.swift Retreiving credential deviceMetadata(username: "x-x")
2023-01-17 18:28:48.833142-0800 AmplifyAuthSample[48370:9641865] [AWSCognitoAuthPlugin] AWSCognitoAuthPlugin/LoadCredentialStore.swift Sending event CredentialStoreEvent.completedOperation
2023-01-17 18:28:48.833281-0800 AmplifyAuthSample[48370:9641865] [AWSCognitoAuthPlugin] AWSCognitoAuthPlugin/IdleCredentialStore.swift Starting execution
2023-01-17 18:28:48.833341-0800 AmplifyAuthSample[48370:9641865] [AWSCognitoAuthPlugin] AWSCognitoAuthPlugin/IdleCredentialStore.swift Sending event CredentialStoreEvent.moveToIdleState
2023-01-17 18:28:48.833353-0800 AmplifyAuthSample[48370:9642096] [AWSCognitoAuthPlugin] Credential Store state change:
success(AWSCognitoAuthPlugin.CredentialStoreData.deviceMetadata(["deviceGroupKey": "-N*****jQ", "deviceSecret": "5C*****E0", "deviceKey": "us*****a2"], "16xxx"))
2023-01-17 18:28:48.833422-0800 AmplifyAuthSample[48370:9642096] [AWSCognitoAuthPlugin] Credential Store state change:
idle
@royjit thank you very much for getting back to me regarding this.
I am wondering whether you have the latest version of my changes, maybe worth cleaning the SPM info and re-adding the branch to make sure?
I already did all those steps. But because I am also not sure if I use the correct version of the library I post a snippet out of the Package.resolved
of my project in my previous answer https://github.com/aws-amplify/amplify-swift/issues/2588#issuecomment-1381682616. If you please take a look at the revision
- from what I see that is the correct library version, containing all the changes. Can you please check this snippet? I guess if it is the correct revision
this is sth which only you can answer finally.
Could you please enable verbose logging Amplify.Logging.logLevel = .verbose (after you call Amplify configure) and provide the logs between step 4 to 9?
My function which configures Amplify SDK and which gets called in AppDelegate#didFinishLaunchingWithOptions
function looks like this:
func configure() {
do {
try Amplify.add(plugin: AWSCognitoAuthPlugin())
try Amplify.configure()
Amplify.Logging.logLevel = .verbose
log.debug("Amplify configured with auth plugin")
} catch {
log.error("Failed to initialize Amplify with \(error)")
}
}
As you can see Amplify.Logging.logLevel = .verbose
gets called like you described in your last comment, after Amplify.configure()
.
Nonetheless I do not see the same logs in the Xcode console from the Amplify SDK like you post in your comment. I have no idea why. Maybe SDK has a bug regarding logging?
The only looks I see from the Amplify SDK look like this:
2023-01-19T12:13:43+0100 info CognitoIdentityProviderClient : [Logging] Request: POST https:443
Path: /
X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge,
Content-Length: 2062,
Host: cognito-idp.eu-central-1.amazonaws.com,
Content-Type: application/x-amz-json-1.1,
x-amz-user-agent: aws-sdk-swift/1.0,
User-Agent: aws-sdk-swift/1.0 api/cognito-identity-provider/1.0 os/iOS/16.2.0 lang/swift/5.7 lib/amplify-ios/2.2.1
Optional([])
2023-01-19T12:13:43+0100 info SerialExecutor : [Logging] Creating connection pool for Optional("https://cognito-idp.eu-central-1.amazonaws.com/?")with max connections: 50
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] Connection was acquired to: Optional("https://cognito-idp.eu-central-1.amazonaws.com/?")
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] header block is done
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] incoming data
2023-01-19T12:13:43+0100 info CRTClientEngine : [Logging] stream completed
2023-01-19T12:13:44+0100 info SerialExecutor : [Logging] Connection to endpoint: Optional("https://cognito-idp.eu-central-1.amazonaws.com/?") is closing
2023-01-19T12:13:44+0100 info CognitoIdentityProviderClient : [Logging] Request: POST https:443
Path: /
X-Amz-Target: AWSCognitoIdentityProviderService.ConfirmDevice,
x-amz-user-agent: aws-sdk-swift/1.0,
Content-Type: application/x-amz-json-1.1,
User-Agent: aws-sdk-swift/1.0 api/cognito-identity-provider/1.0 os/iOS/16.2.0 lang/swift/5.7 lib/amplify-ios/2.2.1,
Content-Length: 1923,
Host: cognito-idp.eu-central-1.amazonaws.com
Optional([])
2023-01-19T12:13:44+0100 info SerialExecutor : [Logging] Creating connection pool for Optional("https://cognito-idp.eu-central-1.amazonaws.com/?")with max connections: 50
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] Connection was acquired to: Optional("https://cognito-idp.eu-central-1.amazonaws.com/?")
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] headers were received
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] header block is done
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] incoming data
2023-01-19T12:13:44+0100 info CRTClientEngine : [Logging] stream completed
2023-01-19T12:13:44+0100 info SerialExecutor : [Logging] Connection to endpoint: Optional("https://cognito-idp.eu-central-1.amazonaws.com/?") is closing
Because I wondered about that logs as well, I put in my previous answer https://github.com/aws-amplify/amplify-swift/issues/2588#issuecomment-1381682616 the logs I got in Xcode console regarding steps 4-9 with prints in the handle method in SdkHttpClient.swift
.
Unfortunately I am still not able to see the behavior you are seeing
But you can see from my last comment that it still happens. I posted logs and screenshot showing that issue is still there. The only questions here:
revision
property)?If:
Thank you for the details, we looked in depth on different failure scenarios and wondering if it is related to the way username is handled in the library. Will you be able to break point into the file TokenParserHelper.swift
and check what is the username and userId returned at line 34.
Another place to check is inside VerifySignInChallenge.swift
and see if the username is same at line 35:
https://github.com/aws-amplify/amplify-swift/blob/dfa703e8aa5ccbee8de0aa2e6125eaa623e6d45f/AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/Actions/SignIn/VerifySignInChallenge.swift#L35
We can also try to setup a call to debug the issue further, you can reach me via discord (royjit#3543) or contact via email (royji at amazon.com). Hope we can resolve this soon and thanks for your patience.
Thank you for your reply @royjit .
1st of all I started to add print
calls to the corresponding places where you advices me to do.
I added to VerifySignInChallenge#execute(withDispatcher dispatcher: EventDispatcher, environment: Environment)
, line 38:
print("DeviceMetadataHelper.getDeviceMetadata username: \(username)")
I added to TokenParserHelper#getAuthUser(accessToken: String)
, line 35:
print("AWSAuthUser username: \(username) sub: \(sub)")
Also here, again a screenshot from Cognito console device protocol showing multiple clients after "re-run" our application from XCode after one app uninstall:
Here are the logs of 2nd time running the app from Xcode:
Here are the logs of 3rd time running the app from Xcode:
As you can see in those logs, the mentioned print in VerifySignInChallenge
cannot be found. That means the code path didn't even get executed. And the print from TokenParserHelper
line 35 indicates that the username and sub are always the same.
Amplify.Logging.logLevel = .verbose
is still set like described in my previous comment https://github.com/aws-amplify/amplify-swift/issues/2588#issuecomment-1396852706 but the logs you mentioned in https://github.com/aws-amplify/amplify-swift/issues/2588#issuecomment-1386394728 can still not be seen in the console. So logging in Amplify SDK is still broken.
I run now the app on my device because we fixed our issues with the apple developer account. So this is for sure no simulator issue. I run the app always on the same device.
What does "uninstall from XCode" mean? Are you uninstalling the app from the device while testing these? As a last try can you check if the username in VerifyPasswordSRP
at line 45 is same as the one you got before - https://github.com/aws-amplify/amplify-swift/blob/dfa703e8aa5ccbee8de0aa2e6125eaa623e6d45f/AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/Actions/SignIn/SRPAuth/VerifyPasswordSRP.swift#L45
"uninstall from Xcode" was really unlucky chosen words. Sorry for this. It is because of getting tired here and we are running in circles. "uninstall from Xcode" means basically the step 3 from your comment here https://github.com/aws-amplify/amplify-swift/issues/2588#issuecomment-1382612082. This happens once. But the logs you can see are from running the app over Xcode, from your comment, step 8 executed twice.
Sth like (on device):
-> 4 devices instances on Cognito console, expected would be 2.
I added now also this print to the VerifyPasswordSRP.swift
:
print("deviceMetadata username: \(username)")
The other prints mentioned in my previous comment https://github.com/aws-amplify/amplify-swift/issues/2588#issuecomment-1400641496 are still there.
Logs from "- run over Xcode (also known as app restart) -> new device on Cognito console, unexpected ❌":
Logs from 2nd "- run over Xcode (also known as app restart) -> new device on Cognito console, unexpected ❌":
The username is the same from what I see.
What I wrote in my previous comment is also still the case.
As you can see in those logs, the mentioned print in VerifySignInChallenge cannot be found. That means the code path didn't even get executed.
I am unable to figure out the root cause of this and also not able to reproduce it. Would you like to setup a call to debug this? You can reach us via discord .
Hi @royjit, sorry for getting back that late, I had a couple of other things on my desk 🤓. Today I got back to this issue.
The branch royjit.deviceBinding
does not exist anymore? Was it merged? Or is the new branch with the fix royjit.deviceBranch
(I saw that branch on the GitHub branch list)?
Regarding logging, the Amplify SDK did not log because of setting in my scheme OS_ACTIVITY_MODE
. Therefore there is no bug in the SDK regarding logging. Now, after deactivating this, I can see the logs of the SDK properly as expected.
The issue regarding the device binding still exist on my side, therefore can we please arrange a call for this as you proposed? I reached out in your discord chat, my message can be found here: https://discord.com/channels/705853757799399426/707328996995760179/1072880041890947215
Thank you for reaching back, please use the branch royjit.deviceBranch
for further testing.
I have also replied in Discord, hope we can resolve this issue quickly.
@royjit thank you for reaching back on Discord and for your time for the spontaneous call yesterday. Your branch royjit.deviceBranch
fixes all the device binding issues and this GitHub issue can be closed as well now.
The remaining issues with not working device binding we saw until today in my application were also because we use they keychain in our application to store some data. Data got stored in an access group. Data in keychain on our side gets deleted under some circumstances. Amplify also stores data in the keychain. But does not specify any access group for storing data. And as you figured out correctly yesterday @royjit:
If you don’t specify any access group when adding an item, keychain services applies your app’s default access group, which is the first group named in the concatenated list of groups described in Set Your App’s Access Groups.
In the end that was the problem. When we wiped the data we also wiped the data for device binding stored in there by the Amplify SDK.
When storing data in the keychain there is also a "service" attribute specified which is a String. Instead of wiping all data, we change the delete query to wipe only the data matching a specific service. Like this we avoid wiping away the data the Amplify SDK stores for the device binding as well.
The changes are merged to main branch and will be available in the next release - https://github.com/aws-amplify/amplify-swift/pull/2717
That are great news. Thank you so much @royjit for your help with this.
The PR has been released - https://github.com/aws-amplify/amplify-swift/releases/tag/2.4.1 Feel free to reach us if you have any questions.
Describe the bug
We integrated the Amplify iOS SDK (v2.0.2) to our project via SPM (https://github.com/aws-amplify/amplify-ios) to implement our auth flow with Cognito. We also enabled device binding in the Cognito console.
Nevertheless on every login we detected in the Cognito console that there is a new device with a new device key, please see screenshot:
We integrated the amplify SDK with Swift Package Manager. Therefore we were able to add some prints to
ClientHandler#handle
function to it to see how the requests the SDK send are looking like by editing the file/Users/<USERNAME>/Library/Developer/Xcode/DerivedData/<APP>/SourcePackages/checkouts/smithy-swift/Packages/ClientRuntime/Sources/Networking/Http/SdkHttpClient.swift
:After doing this and running the project we realized that the SDK call
Amplify.Auth.signIn(username: “username”, password: “pin”)
does not send the device key in the request body like it should according the documentation here https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#API_InitiateAuth_RequestSyntax. This could be the reason the device binding does not work as expected and on every login we see a new device in the Cognito consoleUnder the hood this SDK method does a
AWSCognitoIdentityProviderService.InitiateAuth
From what I see in the logout.In the iOS app we have the configuration file
amplifyconfiguration.json
and it looks like this:The configuration of the user pool in the Cognito console for the device binding looks like this:
Steps To Reproduce
Already described in the 1st section
Expected behavior
Amplify.Auth.signIn(username: “username”, password: “pin”)
sends the device key. In the console - we only see one device if we are doing multiple logins on the same deviceAmplify Framework Version
2.0.2
Amplify Categories
Auth
Dependency manager
Swift PM
Swift version
5.7
CLI version
10.4.0
Xcode version
14.0.1
Relevant log output
AWSCognitoIdentityProviderService.InitiateAuth
looks like this in the XCode log after adding the prints:Request
AWSCognitoIdentityProviderService.InitiateAuth
:Response
AWSCognitoIdentityProviderService.InitiateAuth
:Is this a regression?
No
Regression additional context
No response
Device
iPhone 13 pro
iOS Version
iOS 16.1
Specific to simulators
No
Additional context
Nothing