Closed half2me closed 1 year ago
Strangely enough if I go back and try again a second time, by clicking the login button, it immediately signs me in without even asking me which user to login as. (Clearly the user is already authenticated on cognito) So on subsequent tries this works fine. I'm not sure why it won't work on the first try.
@balazsorban44 I added a link to the full source code, along with a live deployed version of the site which produces this exact error that I've mentioned. What else should I provide?
Sorry, didn't see the source code link. Thanks!
Sorry, didn't see the source code link. Thanks!
no problem, let me know if you need any more details. This is quite an important issue for me, as its blocking our usage of Auth.js
@balazsorban44 is there anything more I can provide for this? This is quite urgent for us to fix.
Note that Auth.js is experimental currently. I'm sorry if it's urgent, the source code is public though. Feel free to have a look. šš
From the error message, your IDP sent back a nonce in the ID token, even though the provider was not configured to do so.
So it might actually be a configuration issue rather than a bug, but I haven't looked at it closer yet.
If you do not provide a nonce value in your request, Amazon Cognito automatically generates and validates a nonce when you authenticate through a third-party identity provider, then adds it as a nonce claim to the ID token
So apparently Cognito returns this nonce value even if it's not configured. This is not an Auth.js bug, just Cognito being a bit too eager.
You can add checks: ["nonce", "pkce"]
to your provider config to force a matching nonce value.
@balazsorban44 thank you so much!
@balazsorban44 can we please reopen this issue? This does not fix it for me. Infact, when making this change, now the auth doesn't work at all. Always giving me:
[auth][error][CallbackRouteError]: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: OperationProcessingError: unexpected ID Token "nonce" claim value
at Module.processAuthorizationCodeOpenIDResponse (file:///.../sveltekit-authjs-houdini/node_modules/oauth4webapi/build/index.js:1034:23)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async handleOAuth (file:///.../sveltekit-authjs-houdini/node_modules/@auth/core/lib/oauth/callback.js:79:24)
at async Module.callback (file:///.../sveltekit-authjs-houdini/node_modules/@auth/core/lib/routes/callback.js:14:41)
at async AuthInternal (file:///.../sveltekit-authjs-houdini/node_modules/@auth/core/lib/index.js:64:38)
at async Proxy.Auth (file:///.../sveltekit-authjs-houdini/node_modules/@auth/core/index.js:100:30)
at async Module.respond (/node_modules/@sveltejs/kit/src/runtime/server/respond.js:248:20)
at async file:///.../sveltekit-authjs-houdini/node_modules/@sveltejs/kit/src/exports/vite/dev/index.js:505:22
[auth][details]: {
"provider": "cognito"
}
You can see in the same code I had before, this latest commit: https://github.com/half2me/sveltekit-authjs-houdini/commit/f4009e5ec84b6002aed59efd259d1040bb515ed0
Login now completely fails.
I add this: checks: ['nonce', 'pkce']
Looks like others are facing this same issue though: https://github.com/nextauthjs/next-auth/discussions/3551
Unfortunately, I don't have a Cognito setup so I cannot dig deeper into this. In any case, Cognito should not send a nonce
back if it's not required to do so. :thinking:
Could you check with checks: ["nonce"]
only to see if that worked? We've had some issues with setting multiple cookies, maybe related to that. Check if the nonce
cookie is created, as well as the authorization URL contains a nonce=value
parameter when logging in.
After which, we should be comparing the id_token
nonce value with the one saved in the cookie.
The error message you show says that we did not create a nonce cookie so the one sent in id_token
should not exist.
@balazsorban44 I checked with checks: ["nonce"]
and instead of just failing with social signIn, it fails now for any kind of signin. Same error:
[auth][error][CallbackRouteError]: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: OperationProcessingError: unexpected ID Token "nonce" claim value
The next-auth.nonce
cookie is created.
The authorization url does have the nonce included and looks like this:
https://sveltekit-authjs-houdini.auth.eu-west-2.amazoncognito.com/oauth2/authorize?response_type=code&client_id=6kmf5kg4618mrndk5t0avrt34r&redirect_uri=http%3A%2F%2Flocalhost%3A5173%2Fauth%2Fcallback%2Fcognito&nonce=CBn-y3UYSmG-s43S7ySLIVwVpP83CF81pEtEpdQRY7A&scope=openid+profile+email
After clicking login, I get redirected back to my app at this url:
http://localhost:5173/auth/callback/cognito?code=334c18a1-68cb-484c-960b-9375bfbb8a6b
And that gives me the 302 to http://localhost:5173/auth/error?error=CallbackRouteError
@balazsorban44 from what I can tell, looking at the call stack:
core/lib/oauth/callback.js
has this:
if (provider.type === "oidc") {
const result = await o.processAuthorizationCodeOpenIDResponse(as, client, codeGrantResponse);
...
}
The expectedNonce
parameter is not set, which will default to undefined
causing the issue.
@balazsorban44 I spent an hour today stepping through the code with the debugger. This seems to be a combination of two separate things. First, Cognito includes the nonce
in the claims, when using social login, even if not requested to do so.
So the answer should be as simple as adding checks: ['pkce', 'nonce']
to the code. Unfortunately this nonce
here is not respected and always treated as an error if returned in the claims
.
The processAuthorizationCodeOpenIDResponse
expects a parameter: expectedNonce
. This parameter is never set. It is always undefined
therefore the code will never work.
So I don't understand, this fixes my problem right here: https://github.com/nextauthjs/next-auth/blob/99ca67f1cff24d77330ff662acf7aa57dd5793e7/packages/core/src/lib/oauth/callback.ts#L138
But I have the latest version of @auth/core
and this line doesn't exist on my version v0.5.1
Okay, so this seems to be fixed in master
but not in @auth/core
. Should I be using a different version? I'm a bit confused about the versioning.
Just found the PR fixing this #6998 ... wish I had seen it earlier š¤¦
Provider type
Cognito
Environment
System: OS: macOS 13.2.1 CPU: (10) arm64 Apple M1 Max Memory: 2.95 GB / 32.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 19.7.0 - /opt/homebrew/bin/node npm: 9.5.0 - /opt/homebrew/bin/npm Browsers: Chrome: 110.0.5481.177 Firefox: 101.0 Safari: 16.3
Reproduction URL
https://sveltekit-authjs-houdini.pages.dev/
Describe the issue
I'm using SvelteKit and cognito login. Everything works as expected when I login using cognito with a regular email/pw combination. But, if I enable social login on cognito, and try to login with that, when it redirects me to my oauth callback, I get the following error from auth.js on the server:
After selecting a social login, I get redirected to:
http://localhost:5173/auth/error?error=CallbackRouteError
How to reproduce
The source is available here: https://github.com/half2me/sveltekit-authjs-houdini If you login/register with a normal username and password, it works. If you try to login with social, it fails.
Expected behavior
It should work just like username/password