Amplify-js: Getting new credentials from Federated Identity Pool after page reload

Related to #346

It's also related to #308 and possibly #399.

aws-amplify 0.2.7 has the same problem

This also seems to happen on React Native ( See #383 ).

This is affecting me as well. Has anyone worked around the issue? Or is there a competing recommended library to AWS Amplify?

@dannymcpherson This issue should be fixed in beta version. Can you try out that version to see if it works for you? P.S install it by npm install aws-amplify@beta Thanks!

Also faced the issue that credentials would get lost upon page reload. Upgrading to 0.2.12 fixed this. Thanks!

For 0.2.12 (beta), it looks like new identities are no longer being created on page reload. However, it still creates extra identities at some point around login/logoff. If you know of related tickets, let me know. Thanks!

@dannymcpherson Can you give more details about when getting those extra identities? Thanks!

@powerful23 - the extra identities were my fault. I was accidentally passing a null token to Auth.federatedSignIn(...). However, when I pass the actual token I get back from the server (from calling cognitoIdentity.getOpenIdTokenForDeveloperIdentity(...)), aws-amplify now receives an error from AWS:

x-amzn-errormessage: Invalid login token. Can't pass in a Cognito token.
x-amzn-errortype: NotAuthorizedException

Looking at the request payload, I don't see the federated IdentityId making it through. Perhaps this is because it is not included here? https://github.com/aws/aws-amplify/blob/master/packages/aws-amplify/src/Auth/Auth.ts#L1117-L1123

@dannymcpherson Are you using the federation sign in with those supported providers?

In my case, I'm using developer authenticated identities with javascript (frontend and backend), and here are some snippets that describe the flow.

Get the token from the backend, after validating the username and password ("user" is an object representing the user being validated):

const cognitoIdentity = new AWS.CognitoIdentity();
return cognitoIdentity.getOpenIdTokenForDeveloperIdentity({
    IdentityId: user.data.cognito_identity_id,
    IdentityPoolId: process.env.COGNITO_IDENTITY_POOL_ID,
    Logins: {
        [process.env.COGNITO_DEVELOPER_PROVIDER_NAME]: user.id
    }
}).promise()

Here's the relevant part of the response received by the client:

{
    IdentityId: "us-east-1:8eb3819a..."
    Token: "eyJraWQiO..."
}

And then I call federatedSignIn:

Auth.federatedSignIn('developer', {token: resp.Token, identityId: resp.IdentityId}, response)

The next thing I see in Chrome's Network tab is a POST to https://cognito-identity.us-east-1.amazonaws.com, with the following payload and relevant headers:

Request Headers:
x-amz-target: AWSCognitoIdentityService.GetId
x-amz-user-agent: aws-amplify/0.1.x js aws-amplify/0.1.x js callback

Request Payload:
{
    IdentityPoolId: "us-east-1:190e7e6...",
    Logins: {
        cognito-identity.amazonaws.com: "eyJraWQiO..."
    }
}

Response Headers:
status: 400
x-amzn-errormessage: Invalid login token. Can't pass in a Cognito token.
x-amzn-errortype: NotAuthorizedException:

I expected to see the IdentityId as a part of the request payload, so that cognito doesn't create a new identity. What am I missing?

I was just playing around with the generated AWS Amplify js code, and if I pass in the IdentityId to federatedSignIn, through to the CognitoIdentityCredentials here, then it seems to work, and no new identities are created.

However, when I signout of my app, it still creates a new unauthenticated identity... each time.

@dannymcpherson this issue should have been fixed in the latest version. The identityId you passed in that function won't work with the library. Please fire a new issue if you still have this issue. Thanks!

We are using amplify version 0.4.4 and still seeing the same.

@thevishnup can you give more details?

We are using developer auth flow to get token and IdentityId using aws-sdk.

cognitoidentity.getOpenIdTokenForDeveloperIdentity(params, function(err, data) {
    if (err) {
        console.log(err, err.stack); // an error occurred
        reject(err)
    }
    else {
        console.log(data);           // successful response
        resolve(data)
    }
});

Where Params are

var params = {
    IdentityPoolId: '<The Pool ID>',
    Logins: { /* required */
        "<IdentityProviderName>": <email>
    },
    IdentityId: IdentityId,
};

What we get, we are passing to the client side and then to theAuth object of aws-amplify

Auth.federatedSignIn("developer", {
    token: cogData.Token,
    IdentityId: cogData.IdentityId
}).then(res => console.log(res))
.catch(err => console.log(err));

Here at this point we get error:

Error: Invalid login token. Can't pass in a Cognito token.
    at Request.extractError (aws-sdk-core-react-native.js:1845)
    at Request.callListeners (aws-sdk-core-react-native.js:11528)
    at Request.emit (aws-sdk-core-react-native.js:11500)
    at Request.emit (aws-sdk-core-react-native.js:13559)
    at Request.transition (aws-sdk-core-react-native.js:12898)
    at AcceptorStateMachine.runTo (aws-sdk-core-react-native.js:13702)
    at aws-sdk-core-react-native.js:13714
    at Request.<anonymous> (aws-sdk-core-react-native.js:12914)
    at Request.<anonymous> (aws-sdk-core-react-native.js:13561)
    at Request.callListeners (aws-sdk-core-react-native.js:11538)

@thevishnup The second parameter of the federatedSignIn call is FederatedResponse which accepts token, identity_id and expires_at.
Just change the key name from IdentityId to identity_id, this should fix your problem.

@nikhilsharma8193 Thank you. That worked.