Open George-Saad opened 2 years ago
Hi,
This may be an issue with your cookie configuration. When you load your app and before you run Auth.SignIn()
, do you have any Cognito-related cookies set in your browser for your application domain?
I have the same problem, cognito cookies are not send to *.cloudfront.net domain.
Here's what you should expect to see in your browser's Network tab when you try to access the CloudFront distribution that is being secured by Cognito@Edge (assuming you're not using a federated auth provider).
GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/
-> 302GET <COGNITO_USERPOOL_DOMAIN>/authorize
-> 302GET <COGNITO_USERPOOL_DOMAIN>/login
-> 200POST <COGNITO_USERPOOL_DOMAIN>/login?redirect_uri=<CLOUDFRONT_DISTRIBUTION_DOMAIN>
-> 302GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/?code=<UUID>&state=/
-> 302GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/
-> 200The response of 6 should contain the authentication cookies (see source code).
Leaving the answer for someone who will face this problem in future:
To make Amplify able to authenticate user after the cognito-at-edge it should be configured to use cookies storage (it doesn't by default whereas cognito-at-edge saves tokens there).
Something like that:
Amplify.configure({
Auth: {
region: awsExports.REGION,
userPoolId: awsExports.USER_POOL_ID,
userPoolWebClientId: awsExports.USER_POOL_APP_CLIENT_ID,
mandatorySignIn: true,
cookieStorage: {
domain: 'subdomain.example.com',
secure: true,
path: '/',
expires: 365,
},
oauth: {
domain: '...',
scope: ['email', 'openid'],
redirectSignIn: '...',
redirectSignOut: '...',
responseType: 'code',
},
}
});
Issue author has wrong amplify configuration with local storage, it will fail to find cognito-at-edge tokens.
Amplify.configure({
Auth: { // REQUIRED - Amazon Cognito Region region: 'xxx', userPoolId: 'xxx', userPoolWebClientId: 'xxx', localStorage: { domain: 'xxx.cloudfront.net', }, oauth: { domain: 'xxx.auth.eu-west-1.amazoncognito.com/', scope: ['openid', 'email'], redirectSignIn: 'https://xxx.cloudfront.net/', redirectSignOut: 'https://xxx.cloudfront.net/', responseType: 'code' } }, API: { "Access-Control-Allow-Origin": "*", "Content-Type": "text/html; charset=UTF-8", "X-Content-Type-Options": "nosniff" } });Using this configuration amplify can't recognize that the user already signed in (using Cognito@Edge). Running Auth.currentAuthenticatedUser() gives user not authenticated error, however if I run this after Auth.SignIn() i get a valid response.