Amplify can't recognize that the user already signed in (using Cognito@Edge).

awslabs / cognito-at-edge

Serverless authentication solution to protect your website or Amplify application

Apache License 2.0

168 stars 55 forks source link

Amplify can't recognize that the user already signed in (using Cognito@Edge). #39

Open George-Saad opened 2 years ago

George-Saad commented 2 years ago

Amplify.configure({ Auth: { // REQUIRED - Amazon Cognito Region region: 'xxx', userPoolId: 'xxx', userPoolWebClientId: 'xxx', localStorage: { domain: 'xxx.cloudfront.net', }, oauth: { domain: 'xxx.auth.eu-west-1.amazoncognito.com/', scope: ['openid', 'email'], redirectSignIn: 'https://xxx.cloudfront.net/', redirectSignOut: 'https://xxx.cloudfront.net/', responseType: 'code' } }, API: { "Access-Control-Allow-Origin": "*", "Content-Type": "text/html; charset=UTF-8", "X-Content-Type-Options": "nosniff" } });

Using this configuration amplify can't recognize that the user already signed in (using Cognito@Edge). Running Auth.currentAuthenticatedUser() gives user not authenticated error, however if I run this after Auth.SignIn() i get a valid response.

jeandek commented 2 years ago

Hi,

This may be an issue with your cookie configuration. When you load your app and before you run Auth.SignIn(), do you have any Cognito-related cookies set in your browser for your application domain?

ss7pro commented 1 year ago

I have the same problem, cognito cookies are not send to *.cloudfront.net domain.

jeandek commented 1 year ago

Here's what you should expect to see in your browser's Network tab when you try to access the CloudFront distribution that is being secured by Cognito@Edge (assuming you're not using a federated auth provider).

GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/ -> 302
GET <COGNITO_USERPOOL_DOMAIN>/authorize -> 302
GET <COGNITO_USERPOOL_DOMAIN>/login -> 200
Requests to another CloudFront distribution for style-sheets and scripts.
POST <COGNITO_USERPOOL_DOMAIN>/login?redirect_uri=<CLOUDFRONT_DISTRIBUTION_DOMAIN> -> 302
GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/?code=<UUID>&state=/ -> 302
GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/ -> 200

The response of 6 should contain the authentication cookies (see source code).

BredoGen commented 11 months ago

Leaving the answer for someone who will face this problem in future:

To make Amplify able to authenticate user after the cognito-at-edge it should be configured to use cookies storage (it doesn't by default whereas cognito-at-edge saves tokens there).

Something like that:


Amplify.configure({
    Auth: {
        region: awsExports.REGION,
        userPoolId: awsExports.USER_POOL_ID,
        userPoolWebClientId: awsExports.USER_POOL_APP_CLIENT_ID,
        mandatorySignIn: true,
        cookieStorage: {
          domain: 'subdomain.example.com',
          secure: true,
          path: '/',
          expires: 365,
        },
        oauth: {
            domain: '...',
            scope: ['email', 'openid'],
            redirectSignIn: '...',
            redirectSignOut: '...',
            responseType: 'code',
        },
    }
});

Issue author has wrong amplify configuration with local storage, it will fail to find cognito-at-edge tokens.