AWSMobileClient does not refresh tokens for federated sign in

[cornr]

Describe the bug A call to AWSMobileClient.default.federatedSignIn with an Sign in With Apple, Facebook or Google token works. But after a while (in case of Apple 10 mins, Facebook or Google take a bit longer) AWSMobileClient changes state to signedOutFederatedTokensInvalid. At least for Apple there is no API to refresh a token (In the implementation of AWSGoogleSignInProvider and AWSFacebookSignInProvider you can see some sort of silent log in). The only thing one can do is to present the "Sign In with Apple" Sheet again which is a no go after just 10 minutes.

Expected Behavior As the (enhanced) simple authentication flow suggests (see first diagram: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html) there is one activity with the login provider at the very beginning and a validation done by Cognito. After that credentials are issued by Cognito which are used for API Requests to AWS. Those credentials expiry time is set by Cognito (in our case 3650 days). (Please correct me if I missed something.)

I expect after calling AWSMobileClient.default.federatedSignIn with a valid token (e.g. from Apple) that all credentials als are handled automatically in AWSMobileClient in conjunction with Cognito. And AWSMobileClient only switches to the signedOutFederatedTokensInvalid state if I suspend access to the app in my appleid settings or the cognito expiry time has elapsed.

I also expect this behavior for other the login providers.

Environment(please complete the following information):

• SDK Version: 2.13.0
• Dependency Manager: Carthage
• Swift Version : 5
• Xcode Version: 11.4.1

[amuresia]

+1 this is a huge problem for Sign In With Apple! The deadline for integrating it into apps is looming and as such, this needs to be sorted as a matter of urgency. We can't present the user with the sign in sheet every 10 minutes.

[palpatim]

When federatedSignIn returns, it immediately sets the 'signedIn' state, even if the token itself is invalid. A subsequent call to get credentials would fail. https://github.com/aws-amplify/aws-sdk-ios/issues/1307. Are you sure you're passing valid tokens? Is the ID created when you call federatedSignIn? It sounds like you probably are, since I interpret your post as saying that you get ~10 minutes of valid authz out of the AWS credentials after federation.

The SDK only checks for AWS credential expiry. It's possible the Cognito service may expire the credentials if the underlying token expires sooner than the requested AWS credentials lifespan, but we'd need to investigate. (I do note that the default exp of the Apple JWT token is 5 minutes)

[gentoolabs]

Yes it is a problem with apple sign in when using with Amplify/Cognito. The app is asking to re sign-in for every 10 minutes. Apple's Token API provides only the access token and Id token needs explicit approval from the user. AWSMobileclient should not throw signedOutFederatedTokensInvalid state when ID token is expired.

[cornr]

@palpatim Yes I confirmed with https://jwt.io debugger and the apple sign in public key that the token string I pass to federatedSignIn is valid. And yes every token from Apple I debug is valid exactly 10 minutes ("auth_time" + 10 min = "exp").

Is the ID created when you call federatedSignIn?

Which ID do you mean?

I checked the values from getAWSCredentials and a see an expiration time of 1 hour. When I am signed in with Apple getTokens returns an error:

AWSMobileClient.AWSMobileClientError.notSignedIn(message: "User is not signed in, please sign in to use this API.")

getTokens returns several JWT Tokens for Users signed in with signIn(username: String, password: String)

I have been busy this morning debugging this issue (mostly waiting for token expiry 🤦‍♂️) and found out the following:

Scenario 1

• SIWA (token valid for 10 minutes)
• Do nothing in the app (except the initial API Request just after the sign in)
• keep the app in foreground and wait for the Apple Token to expire
• restart the app
• AWSMoblieClient.isSignedIn == true
• signedOutFederatedTokensInvalid when the first API Request is done

Scenario 2

• SIWA (token valid for 10 minutes)
• Do nothing in the app (except the initial API Request just after the sign in)
• keep the app in foreground and wait for the Apple Token to expire
• Do some APIRequest (even after Apples Token expiry they keep working)
• restart the app
• AWSMoblieClient.isSignedIn == true
• signedOutFederatedTokensInvalid when the first API Request is done

Scenario 3

• SIWA (token valid for 10 minutes)
• Keep doing stuff in the app (aka do API Requests) past the 10 minutes the expiry
• restart the app
• AWSMoblieClient.isSignedIn == true
• signedOutFederatedTokensInvalid is not issued
• All API Requests do work
• restart the app again
• AWSMoblieClient.isSignedIn == true
• signedOutFederatedTokensInvalid when the first API Request is done

I hope this helps to debug the issue. Please let me know if is anything I can do to help.

[royjit]

Thank you for the report. I could reproduce the same behavior, the token returned by Apple is only valid for 10 min. When we call federateSignIn using this token, Cognito Identity Pool issues AWS Credentials which is valid for 1 hr. As long as the AWS Credentials are valid, you will be able to make API requests. When the AWS Credentials become invalid, the SDK tries to refresh the AWS Credentials using the cached Apple ID token. But AWS Cognito Identity Pool will throw an error saying that this token is expired. Example

Response headers:
{
    "Content-Length" = 108;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Mon, 04 May 2020 13:16:44 GMT";
    "x-amzn-errormessage" = "Invalid login token. Token expired: 1588597904 >= 1588572824";
    "x-amzn-errortype" = "NotAuthorizedException:";
    "x-amzn-requestid" = "9b1c2a92-f2bd-4842-a9d4-ea7eef14ddb2";
}

Checking with Cognito Service team to understand how to handle this scenario.

[cornr]

Hi @royjit any news on this one?

[cornr]

@royjit here more findings. I analyzed the data AWSMobileClient stores into the keychain. After federated sign in with apple I can see the the SIWA Token in loginsMap. federationProvider is set to "oidcFederation". identityId accessKey secretKey and sessionKey are set as well. expiration is set to login time + 1hr.

When I restart the App I monitor following behavior: All keys are obviously there from last session. After AWSMobileClient.interceptApplication(didFinishLaunchingWithOptions:) all keys except loginsMap and federationProvider disappear. After a little while the other keys come back with new values (especially a new expiration). This is probably the mentioned AWS Credentials refresh.

The thing is: this refresh always works with a still valid Apple Token. With an expired Apple Token this refresh works sometimes but often fails resulting in removal of identityId accessKey secretKey sessionKey expiration and a signedOutFederatedTokensInvalid state change.

I also had a look at Demo Project and monitored the results of ASAuthorizationAppleIDProvider().getCredentialState(forUserID:)(with passing the userID from the Apple Credentials I get after a sign in). I call getCredentialState right in didFinishLaunchingWithOptions and in the completion closure I call AWSMobileClient.interceptApplication(didFinishLaunchingWithOptions:).

The result: I always got a CredentialState.authorized even Apple Token expiration has passed.

[mikrobus]

@cornr @royjit Is there any news?

This issue is currently blocking my development. My setup is a React Native app with AmplifyJS. I experience the same behavior - after 10 mins of inactivity, the requests start to fail due to 403 error (using Sign in with Apple).

[cornr]

@mikrobus thanks for joining in. Unfortunately we have not heard anything from AWS yet. This issue is getting pretty serious for us as the SIWA deadline approaches.

[cornr]

@royjit is there anything I can do to help to track this down? Some logs? anything?

[royjit]

As per the service team, they do not handle the refreshing of token. In this case, it should be the developer's responsibility to refresh the token. Cognito Identity Pools will not store the refresh token necessary to get a new Apple id_token and does not make any calls to Apple-owned endpoints.

[gentoolabs]

To overcome this issue, we implemented the Apple sign In with Auth0 and configured Auth0 as a custom Auth provider in Cognito.

1. Sign In with Apple
2. Exchange tokens with Auth0
3. Pass the token from Auth0 ( configurable time-out ) to Cognito
4. Cognito does not signs out after 10 minutes

Auth0 provides free plan based on monthly user count , please check it out.

On Fri, Jun 5, 2020 at 9:26 PM Jithin Roy notifications@github.com wrote:

As per the service team, they do not handle the refreshing of token. In this case, it should be the developer's responsibility to refresh the token. Cognito Identity Pools will not store the refresh token necessary to get a new Apple id_token and does not make any calls to Apple-owned endpoints.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/aws-amplify/aws-sdk-ios/issues/2513#issuecomment-639593221, or unsubscribe https://github.com/notifications/unsubscribe-auth/AED2XRBTB2HZUAALMF6MUNLRVEIURANCNFSM4MTUWWFA .

[cornr]

@royjit wait a second. That means the simple use case Sign In With Apple and stay signed in for longer than 10 minutes is not supported with Cognito? Does anyone at AWS Amplify know how to refresh the Apple Token without showing the Sign In With Apple ID Sheet again?

Cognito User Pool Sign can be configured to keep the users signed in like forever. And in our case (and I think that holds true for most Apps out there) it does not make any sense to force the user to sign in again after 10 minutes of inactivity.

@gentoolabs thanks for the Auth0 tip. But were like to keep our dependencies as small as possible. Thats why we basically bet everything on the AWS card 🤦‍♂️.

[palpatim]

@royjit wait a second. That means the simple use case Sign In With Apple and stay signed in for longer than 10 minutes is not supported with Cognito?

@cornr

Sorry for the delay on this. We're continuing to investigate the right way to fix this issue, but it's more complex than we initially thought. We'll update this ticket when we have more information.

[tahoeWolverine]

I've been following these types of issues; deadline is past on SIWA so technically I can't submit my app without it now. Still trying to find the proper way to get the proper tokens back.

[tylerjames]

Any progress on this?

Combine this with this problem: https://github.com/aws-amplify/amplify-js/issues/6287 and the fact that Apple requires SIWA if using any other social logins

And I don't see how we can even use Cognito in our app unless we remove all other social logins.

[mbmleone]

Some information that might be useful here: In my implementation I manually use the refresh token. Based on Apple documentation you would expect it would return a new id_token. It however doesn't return it, only access token is provided. So the problem might be Apple doesn't provide new id_tokens when old expired.

[cornr]

Based on Apple documentation you would expect it would return a new id_token. It however doesn't return it, only access token is provided. So the problem might be Apple doesn't provide new id_tokens when old expired.

Exactly. A solution could be AWSMobileClient manages a separate token which is used for communication with AWS. This token is issued from Cognito and periodically verified by AWSMobileClient via getCredentialState(forUserID:completion:) But I guess this involves major changes to Cognito and AWSMobileClient.

[BillBunting]

@cornr I have successfully added Sign in with Apple using the Drop in UI but also face the 10 min token expiration issue. Unfortunately, I attempted to release a new version of our app to resolve an unrelated bug and it was rejected by Apple. "Guideline 4.8 - Design - Sign in with Apple. We noticed that your app uses a third-party login service but does not offer Sign in with Apple. Apps that use a third-party login service for account authentication must offer Sign in with Apple to users as an equivalent option."

Fingers crossed you will and the team will resolve this soon. Please continue to make this a high priority for the Drop in UI.

[tylerjames]

So Apple considers using the Drop-In UI to be unacceptable? It’s not something I would want to use either but I was hoping it would at least be an option since I can’t seem to get t to work any other way. At this rate I’ll have to pull the social logins entirely until it gets sorted out.  "material-automation[bot]" notifications@github.com wrote: “@cornr I have successfully added Sign in with Apple using the Drop in UI but also face the 10 min token expiration issue. Unfortunately, I attempted to release a new version of our app to resolve an unrelated bug and it was rejected by Apple. "Guideline 4.8 - Design - Sign in with Apple. We noticed that your app uses a third-party login service but does not offer Sign in with Apple. Apps that use a third-party login service for account authentication must offer Sign in with Apple to users as an equivalent option."

Fingers crossed you will and the team will resolve this soon. Please continue to make this a high priority for the Drop in UI.”

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[BillBunting]

@tylerjames Apple will only accept apps that have the Apple Sign-in available when also using Google or Facebook (other 3rd party sign-in). I had successfully integrated Apple Sign-in via AWSMobileClient but had to temporarily remove it due to the 10 min sign-out problem. I submitted my app to Apple for review without Apple sign-in (only Google and Facebook) and it was rejected with the message below. I'm blocked because (1) Apple requires Sign-in with Apple and (2) AWSMobileClient SIWA works but signs users out after 10 min of inactivity, not acceptable for production deployment. Until resolved, I am unable to release a new version of my app.

"From Apple Guideline 4.8 - Design - Sign in with Apple

We noticed that your app uses a third-party login service but does not offer Sign in with Apple. Apps that use a third-party login service for account authentication must offer Sign in with Apple to users as an equivalent option.

Next Steps

To resolve this issue, please revise your app to offer Sign in with Apple as an equivalent login option.

Resources

• Review the sample code on Apple Developer Support to learn more about implementing Sign in with Apple in your app.
• Read the Sign in with Apple Overview to learn more about the benefits Sign in with Apple offers users and developers."

[tylerjames]

@BillBunting Okay, sounds like I'm in the same position. There is another issue where it doesn't seem like you can configure it to use a Bundle ID for native integration AND a Service ID for integrating SIWA with Android and Web.

[bumbleparrot]

Are there no APis available where we can manually refresh the token ourselves in code? (without presenting a sheet).

Is there any data points we can "save" locally during the initial sign in to periodically refresh the token ourselves via URLSession?

[bumbleparrot]

To overcome this issue, we implemented the Apple sign In with Auth0 and configured Auth0 as a custom Auth provider in Cognito. 1. Sign In with Apple 2. Exchange tokens with Auth0 3. Pass the token from Auth0 ( configurable time-out ) to Cognito 4. Cognito does not signs out after 10 minutes Auth0 provides free plan based on monthly user count , please check it out. … On Fri, Jun 5, 2020 at 9:26 PM Jithin Roy @.***> wrote: As per the service team, they do not handle the refreshing of token. In this case, it should be the developer's responsibility to refresh the token. Cognito Identity Pools will not store the refresh token necessary to get a new Apple id_token and does not make any calls to Apple-owned endpoints. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2513 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AED2XRBTB2HZUAALMF6MUNLRVEIURANCNFSM4MTUWWFA .

This sounds like the only solution at the moment.@gentoolabs, do you have more details on how this works?

[umerasif]

Hi AWS people, just wanted to ask if we have an estimate on this, when we should expect this to be fixed. I am using AWS Cognito and can confirm the one hour expiry issue with Apple Sign-in. func getIdentityId() -> AWSTask in AWSCognitoCredentialsProvider class starts throwing up the following error after one hour.

Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Invalid login token. Token expired: 1596736639 >= 1596732990}

[cornr]

Thanks guys for joining in. There was a moment when I thought we are the only app which uses SIWA + Cognito.

Let me sum up where we are right now:

1. Apples token only last 10 min.
2. Cognito does not handle a token refresh automatically. "it should be the developer's responsibility to refresh the token"
3. Apple though has atm no API to refresh the token programmatically. (The only way is to present the SIWA sheet again, which is a no go ux wise)
4. Time is over: Apple does not allow any updates without SIWA anymore
5. Hence: this is a serious issue!

@palpatim will there be a AWS solution (something like) or should we really focus on Auth0?

[bumbleparrot]

To be honest, without a reply or any activity, we will be forced to find other solutions.

I will Be making a tech YouTube video post about Cognito and how it works in the current day world of “Sign in With”. I don’t want other developers to invest so much time just to Run into a dead end.

[BillBunting]

@palpatim @cornr @bumbleparrot Any progress?

I have invested so much time starting from MobileHub and the Drop-in UI three years ago then I migrated to AWSMobileClient after a year and will be now faced with a third migration since my app has been rejected by Apple? I chose Amazon MobileHub / Amplify / AWSMobieClient to specifically take away the burden of user management and access management, but, in the end, I have spent significant time away from functional code dealing with bugs, upgrades and issues related to AWSMoblieClient (both iOS and Android). My app is a personal side project that I'd eventually like to monetize. I have an enterprise client that I'm likely going to recommend avoiding Cognito/Amplify due to such issues. The hope was to use Amplify, so I could focus on functional code and easily use an AWS backend (DynamoDB, S3, API Gateway, etc).

@palpatim What's Amazon's recommended next move for a user of AWSMobileClient Drop-in UI? Will it be supported? Should I abandon the Drop-in UI in favor of the Hosted UI? I'm using Cognito with an Identity pool w/ Facebook and Google and Apple federated sign-in. Should I write my own UI? What is the recommended migration path for an existing app? Amplify auth? Ideally, I'd like to continue to use the Drop-in UI, but it is not well supported and fixes are slow or never come. Documentation is built around creating new apps, but I'd like more comprehensive documentation for the underlying file formats and configurations (without digging through the code) so I can continue to manually maintain my older code (Objective-c, now with a swift AWSMobileClient access layer and new code in swift) built initially by MobileHub. Feeling trapped. Ideally, AWSMobileClient Drop-in UI will get some attention from the AWS team. I'd love for it just to work!

[tylerjames]

@BillBunting It's my understanding that even if you make your own custom UI, which I've done, that this token refresh problem still exists.

There also seems to be a problem that you can't configure Cognito to allow SIWA to work both with iOS devices and with other platforms. Which makes it pretty much useless if you have, say, an iOS app and a web portal.

[bumbleparrot]

@BillBunting , I haven't heard any progress. We are eagerly waiting as well.

I'm wondering if there are any "hacks" we can do to refresh the token ourselves on some continuous basis.

[BillBunting]

@bumbleparrot I will have to invest some more time into it (which I don't currently have). I talked to an Apple review representative a few minutes ago about not having SIWA, and they will approve my app version (since it is an important bug release with no new features in an existing app) only if I could commit to a fix in two weeks. I had to tell them it was out of my hands as it is Amazon code. I'm still waiting on a final decision from Apple (could not finish our conversation due to phone connection issues) I'm not willing to release a version of the app with SIWA if the token expires in 10 min and is not refreshed without forcing the user though the sign in process again (via Drop-in UI). I think most new users will choose SIWA, so I don't want to release it until there is a fix or a workaround. Please let me know if you can identify a workaround. Maybe some sort of keep-alive strategy via background app refresh?

[tylerjames]

I’ve heard of people using third party authenticators such as Auth0 in conjunction with Cognito. Seems absurd to have to do that but might be a viable option. 

[bumbleparrot]

With my limited experience in the area, is it "as easy as" saving the refresh token from the federated provider from the first sign in.Then making a refresh request and setting the expiration to say 30 days out?

My theory comes from reading this on the Apple developer website.

[cccheng9]

We are facing the same issue, and AWS Amplify's only support via web Hosted UI with social provider is also a bummer.

With all being said just want to share what we are attempting to do as a workaround at the moment that I think it's promising (feedback welcome). Basically we are using Cognito Identity Pool with Google/Apple/etc with Developer Auth Flow. On high level

1. iOS App does SIWA
2. Pass id token from step 1 to our own API, protected by API key
3. Our backend validates the token and calls Cognito GetOpenIdTokenForDeveloperIdentity and returns Cognito's id and token

There are several tricky points to pay extra attention to though. We uses AppSync with Lambda resolver on step 2, while API gateway + Lambda should also do the job. The input can be everything coming from SIWA but in our case we only take ID token. As everyone on this thread is aware that Apple ID token expires in 10 mins, we can actually relax that constraint a bit longer, say 1 hour, since our backend is doing all the validation work. (All we need is authentication. A more sophisticated way to go is using authorization code from step 1 to exchange and keep track of the refresh token and does another exchange and so on so forth.) We then pass ID token's sub claim to Cognito GetOpenIdTokenForDeveloperIdentity and get back an identity ID and another ID token, this time issued by Cognito. The identity ID and new ID token are returned from our API.

The iOS app has to implement the logic in developer auth flow and if everything works the app should have no issue access other AWS resources protected by IAM.

[palpatim]

Thanks all for reporting your concerns. We have reported this issue to Apple and working with them to find a path forward.

@BillBunting:

@palpatim What's Amazon's recommended next move for a user of AWSMobileClient Drop-in UI? Will it be supported? Should I abandon the Drop-in UI in favor of the Hosted UI?

Hosted UI is currently the most robust solution we have for authentication, handling User Pool sign in, federation with social providers, and integration with Identity Pools for obtaining AWS credentials. If you are able to use Hosted UI, that would be our recommended path.

I'm using Cognito with an Identity pool w/ Facebook and Google and Apple federated sign-in. Should I write my own UI?

The existing Drop-in UI is more or less a set of pre-packaged UI controls that live on top of federated identity for Identity Pools. Behind the scenes, Drop-in UI does what your custom UI would do--obtains an ID token from the social provider, and sends the ID token to Identity Pools to get credentials.

The issue as others have pointed out, is that SIWA does not provide a sanctioned way to refresh the ID token. The SIWA REST API does allow you to obtain an ID token, as @bumpleparrot pointed out but Apple doesn't support using that API to refresh the identity token multiple times the way Identity Pools needs.

What is the recommended migration path for an existing app? Amplify auth?

If you're able to migrate, social sign in for Amplify Auth is built on top of Hosted UI. In addition to offering a “landing page” web view where the user picks the social provider to login with, Hosted UI also allows you to launch directly into a provider's webview experience, so you can have a custom “Sign in with Apple” button that launches the SIWA experience. (Similarly, you can launch directly into Facebook's or Google's webview experience from a custom button.)

We also have an open RFC for a drop-in UI replacement, "Authenticator UI Components", to guide future development on this front.

Ideally, I'd like to continue to use the Drop-in UI, but it is not well supported and fixes are slow or never come. Documentation is built around creating new apps, but I'd like more comprehensive documentation for the underlying file formats and configurations (without digging through the code) so I can continue to manually maintain my older code (Objective-c, now with a swift AWSMobileClient access layer and new code in swift) built initially by MobileHub. Feeling trapped. Ideally, AWSMobileClient Drop-in UI will get some attention from the AWS team. I'd love for it just to work!

Thanks for the frank feedback. We don't have a great migration story right now, and social federation into Identity Pools is challenging at best. We're working on a migration guide, but I don't have an ETA on that right now either.

To summarize:

Identity Pools

As identified in this issue, Cognito Identity Pools only partially supports Sign in with Apple via federation, with the major caveat being the 10-minute token expiry.

• We are working with Apple to find a path forward on this issue.
• We aren’t aware of any really satisfactory workarounds for this issue.
  • Using the Apple REST API to refresh ID tokens is not a supported use case.
  • @cccheng9’s description of using Developer Authenticated Identities could work, but as they point out in their description, this is a very complex integration.
  • We’ve heard some reports of customers setting up SIWA integrations with Auth0 and federating that into Identity Pools via OIDC, but unfortunately we don’t have details on those integrations.

User Pools/Hosted UI

If your use case supports it, Cognito User Pools supports Sign in with Apple and other social providers today via Hosted UI.

• Hosted UI for Amplify: https://docs.amplify.aws/lib/auth/social_signin_web_ui/q/platform/ios
• Hosted UI for AWSMobileClient: https://docs.amplify.aws/sdk/auth/hosted-ui/q/platform/ios

[bumbleparrot]

Hi @palpatim we appreciate your response to this!

[BillBunting]

@palpatim Thank you for your feedback and advice. My use case requires Identity Pools (the Cognito Identity ID via AWSMobileClient.default().getIdentityId() is used to identify a user's data within DynamoDB tables).

My fingers are crossed that Apple will work with Amazon to resolve this issue, so I can continue to use the Drop in UI with Identity Pools.

(After initially being rejected, Apple conditionally approved the last version of my automodlist app after meeting with me since it contained an important bug fix. But, Apple will not approve future versions of the app without SIWA.)

[bumbleparrot]

Do the tokens refresh correctly when using Google and Facebook?

Can the Google and Facebook tokens be refreshed invisibly to the user?

[palpatim]

@palpatim Thank you for your feedback and advice. My use case requires Identity Pools (the Cognito Identity ID via AWSMobileClient.default().getIdentityId() is used to identify a user's data within DynamoDB tables).

It's worth noting that you can federate from User Pools (which is what Hosted UI fronts) into Identity Pools. For example, Amplify sets this up by default, with a User Pool (optionally with social providers via HostedUI) that federates into an Identity Pool. From the user perspective, they still use SIWA (or Google, or Facebook, etc) to log into your app. Behind the scenes, you can still obtain AWS credentials from the Identity Pool, and those credentials will be associated with the appropriate auth or unauth role depending on whether the user is signed into the User Pool.

Obviously, that's an additional layer of complexity if you're setting this up manually, but if your users only ever use Social Providers anyway, it's something to consider.

[bumbleparrot]

Check out this video I made on the topic.

[bumbleparrot]

Ohh nice! Thanks @billbunting ! I’ll Make an edit!

[BillBunting]

@bumbleparrot Nice video, but please note, the Drop-in UI does support federated sign-in. I have been successfully using it with Facebook, Google, and (almost) Apple (once refresh is fixed). I've had Facebook and Google Drop-in UI working successfully in iOS and Android for almost 3 years now. The buttons for federated sign in appear below the username/password sign-in as shown below. The Drop-in UI supports dark mode and works well on both iOS and Android. (deleted my prior comment since I was signed into a different employer's account vs my personal account, reposting the comment.)

[JoaqStar]

Hello @palpatim. Thank you for the info you have shared with us! I have one more simple question. Can you share your progress on resolving this issue with Apple as I would like to estimate how long it will be before this issue is resolved? I'm trying to decide if I should wait for your solution or find another solution (i.e. use identity pools, which will take some time). Thank you for your help!

[palpatim]

@JoaqStar We don't have an ETA at this time. We'll update this thread when we have more info.

[allanweir]

I appreciate the complexity of this issue but has there been any progress with a timeframe or speaking to Apple about it? We're building up to a large release and if no progress is happening at all we need to think of an alternative to our current setup.

[BillBunting]

Has there been any progress or any work/conversation between Amazon and Apple to resolve this issue? Please continue to make this a priority.

[allanweir]

Is there any progress on this? Sorry to have to keep asking but it's critical to all of our products, we pay for AWS as a service provider, we're forced to use this SDK and forced by Apple to use SIWA, so we're all stuck. I know it's not down to individual developers and whoever has to pick up this ticket so sorry to all of you but as an organisation someone should be deciding to prioritise this. This ticket has been open over 5 months now, how much longer is it before we can release business critical updates to our platforms?

[MatejBalantic]

@palpatim

If your use case supports it, Cognito User Pools supports Sign in with Apple and other social providers today via Hosted UI.

AFAIK Apple is actively rejecting apps using web view to handle SIWA. It works kind of OK if user is logged into Apple ID, however I assume the issue for them is the case when user isn't logged in?

We need to release SIWA but are sceptical about doing with WebView ("HostedUI"), since we risk the app getting rejected later on after users already start signing up with SIWA.

What approach do you propose to mitigate this risk?

Edit: fixing the URL to post about rejected app

[BillBunting]

I have integrated and am successfully using Apple sign-in with the drop-in UI with federated identities ( AWSMobileClient.default().showSignIn()) It is working very well and Apple will approve my next release (Apple rejected my last release because I offered FB and Google sign-in but not Apple; but, Apple gave me a one time pass to release without SIWA to get out a bug fix. I can not release again without SIWA) I currently have Apple sign-in for the drop-in UI in a public beta of automodlist. The only issue is that users need to sign-in more frequently than with other social providers. The user experience is good, just a little annoying that sign-in is required so often.

Please continue to support and work to resolve issues in SIWA with the iOS drop in UI via AWSMobileClient.default().showSignIn() - I need it to continue to work. I have no plans to switch to the HostedUI as I want a native sign-in experience for federated identity pools. Thank you.

[amuresia]

Hey guys, could we please get an update on the progress and if possible a timeline for when we expect a fix to be released. Many thanks!