Incorrect identityID between sessions

[allanweir]

Describe the bug In the app I am using AWSMobileClient to handle user sessions, generally this works fine. Occasionally after a day or more, when the app is re-opened AWSMobileClient gives a userState of 'signedIn' and 'isSignedIn' is true but the identityID property is incorrect for the user which is logged in. The ID seems to become an unauth identity, rather than the Cognito User Pool one (email based). This becomes apparent when a 403 error is returned from Lambda because the requesting role is unauth, despite AWSMobileClient saying it is logged in.

To Reproduce Steps to reproduce the behavior:

1. Login using AWSMobileClient.sharedInstance().signIn(username:password:)
2. Use the app as normal (Pinpoint, Lambda, S3)
3. Return to the app 24 hours later
4. Try to access a lambda function restricted to auth role
5. Receive 403 error 6a. I can see that calls to pinpoint.eu-west-1.amazonaws.com contain the unauth ID 6b. I can see calls to lambda contain the unauth ID 6c. I can see calls to https://cognito-idp.eu-west-1.amazonaws.com/ contain the correct Auth ID and return UserAttributes of the auth user

Which AWS service(s) are affected? Cognito, Lambda

Expected behavior The user should remain signed in between session, the userState reflects this as it currently does, and the identityID remains consistent between sessions. Or, at the least the framework notifies the app of the state 'signedOutUserPoolsTokenInvalid'.

Environment(please complete the following information):

• SDK Version: 2.9.7
• Dependency Manager: Carthage
• Swift Version : 5.0

Device Information (please complete the following information):

• Device: iPhone 8 Simulator (12.2)
• Device: iPhone 8 actual device (12.1.4)
• Device: iPhone X actual device (12.2)

Additional Context Pinpoint initialisation: self.pinpoint = AWSPinpoint(configuration: AWSPinpointConfiguration.defaultPinpointConfiguration(launchOptions: launchOptions)) awsconfiguration.json

"PinpointTargeting": {
      "Default": {
          "AppId": "[APP ID]",
          "Region": "eu-west-1"
      }
  },
  "PinpointAnalytics": {
      "Default": {
          "AppId": "[APP ID]",
          "Region": "eu-west-1"
      }
  }

Lambda initialisation:

let serviceConfiguration = AWSLambda.default().configuration.copy() as? AWSServiceConfiguration ?? AWSLambda.default().configuration// AWSAuthService.shared.createDefaultAWSServiceConfiguration()
        serviceConfiguration.maxRetryCount = 5
        serviceConfiguration.allowsCellularAccess = true
        serviceConfiguration.timeoutIntervalForRequest = 30
        serviceConfiguration.timeoutIntervalForResource = 30

        AWSLambdaInvoker.register(with: serviceConfiguration, forKey: APIClient.invokerName)

awsconfiguration.json

"Lambda": {
      "Default": {
          "Region": "eu-west-1"
      }
  },

During normal usage, both services work fine and switch between auth and unauth states

[rohandubal]

Hello @allanweir

I think the issue here is the initialization order. While registering the clients using register method, I would recommend using AWSMobileClient.sharedInstance() as the credentials provider. When the app is launched, the first step should be to initialize the AWSMobileClient. It will ensure that AWSMobileClient becomes the default credentials provider for other clients.

Thanks Rohan

[allanweir]

Hey,

I had a different issue when manually setting the credentials provider in the past https://github.com/aws-amplify/aws-sdk-ios/issues/1521 - it seemed like letting the libraries automatically create the service configuration was working but now it's having issues after the session expires

[afriedmanGlacier]

We are not using AWSMobileClient, but we are having a similar issue where there are issues after the session expires such that we need to explicitly log out and then back in for it to work.

[ghost]

Related question: how does the way OP sets up Lambda service config differ from this?

let lambdaCredentialsProvider = AWSMobileClient.sharedInstance().getCredentialsProvider()

        let lambdaConfiguration = AWSServiceConfiguration(
            region: CognitoIdentityUserPoolRegion,
            credentialsProvider: lambdaCredentialsProvider)

        AWSServiceManager.default().defaultServiceConfiguration = lambdaConfiguration

Are both ways of configuring it equally viable?

[dokutoshi]

Is AWS using dispatch_group in GCD to manage the async tasks? Otherwise race conditions will lead to spurious events, e.g. identityId changing and the underlying accessToken and idToken. This can lead to weird failures.

[royjit]

We made few bug fixes related to identityId in the last iOS release of the SDK, https://github.com/aws-amplify/aws-sdk-ios/releases/2.11.0. Could you please check if the issue still exists with the updated SDK.

Please let us know if you have any problems with this.

[stale[bot]]

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

[F9]

This issues is not fixed. Please re-open. I'm in the same condition.

[YZ-Inspify]

I'm having the same problem, although it's intermittent. It seems when the rest of the code is going to make use of identityId of current user, the identityId is incorrect, i.e. no longer the same identityId that user is associated to. It appears to be some race condition between updating identityId by AWS and the rest of the app, although it's very hard to reproduce.

Question - at what point in time can we rely on the correctness of identityId when invoking AWSMobileClient.default().identityId?

Thanks.

[royjit]

We made a lot of changes to fix threading issue that was present in AWSMobileClient, since there is low traffic in this issue we are closing this. Feel free to report us if you are still facing any issue with AWSMobileClient.