Amplify-js: currentSession() returns no current user?

Getting the same thing. currentSession works with normal login, but with federated login I get No current user

@vsrivatsan89 The currentSession only works when you logged in with Cognito Userpool. We will work on the naming to make it more clear. Thanks!.

@powerful23 is there an alternative for currentSession when you are using federated identities?

@epicfaace you can retrieve the current user by currentAuthenticatedUser for federated identities and currentCredentials to get the credentials

@powerful23 currentAuthenticatedUser returns "not authenticated" for federated users

@dev-jpnobrega can you provide more details like what version you are using and any debug information?

aws-amplify 0.2.14
aws-amplify-react 0.1.38

After the federated authentication it returns the access_token, however Auth.currentAuthenticatedUser () returns "not authenticated"

@dev-jpnobrega can you turn on the debug mode by window.LOG_LEVEL='DEBUG'? And also could you check your localStorage to see if there is an item named like aws-amplifyfederatedUser

Hi @powerful23,

localhost-1523370483986.log

If I use the Auth.federatedSignIn it creates the localstorage aws-amplify-cachefederatedInfo and aws-amplify-cacheCurSize, but Auth.currentAuthenticatedUser returns not authenticated

aws-amplifyfederatedUser is not created

@dev-jpnobrega do you have cognito identity pool and pass its id into Amplify? You are using a federated provider named "NaturaAD" but did you set it as a provider in that cognito identity pool? If you didn't, you cannot get a valid credential from Cognito.

Closing this due to inactivity, please let us know if you are still experiencing the issue.

I am still experiencing this issue. When I keep the window open for a while, then it appears that my session times out and calling currentSession() returns no active user.

From conversations from other issues, one thing is clear to me : Auth.federatedSignIn has no relation with Auth.currentSession & Auth.currentAuthenticatedUser.
When I login via Cognito User Pool and call Auth.currentSession &orAuth.currentAuthenticatedUser, I get JWT token which I can use to access my APIs.
But, the response of Auth.federatedSignIn is an object of CognitoIdentityCredentials and this object does not have a JWT token.
So, my question is how do I get a JWT token when I login using Auth.federatedSignIn. A lot of the issues on this repo (#699 , #542 , #793 , #703 )ask this question with no definitive answer.

@kanteankit you can get the jwt token by using the Cache:

import { Cache } from 'aws-amplify';

// in web
const federatedInfo = Cache.getItem('federatedInfo');
const { token } = federatedInfo;

// in reactNative
Cache.getItem('federatedInfo').then(federatedInfo => {
     const { token } = federatedInfo;
});

Sorry we didn't mention this in the doc, will send a pr for that.

@powerful23 The token from federatedInfo returns the jwt token received from Facebook. I cannot use that to access my APIs in AWS. I get 401 when making API calls
I am talking about a jwt token similar to what Congnito provides, that can be used for accessing my APIs in AWS.
Referring to the code example from the docs:

When using Cognito User Pool

Auth.signIn(username, password)
    .then(user => console.log(user))
    .catch(err => console.log(err));
let session = Auth.currentSession(); // THIS PROVIDES THE JWT TOKEN IN CASE OF COGNITO USER POOL

When using Federated SignIn (Facebook example)

export default class App extends React.Component {
  async signIn() {
    const { type, token, expires } = await Expo.Facebook.logInWithReadPermissionsAsync('YOUR_FACEBOOK_APP_ID', {
        permissions: ['public_profile'],
      });
    if (type === 'success') {
      // sign in with federated identity
      Auth.federatedSignIn('facebook', { token, expires_at: expires}, { name: 'USER_NAME' })
        .then(credentials => {
          console.log('get aws credentials', credentials);
// HOW DO I GET A VALID JWT TOKEN HERE TO ACCESS MY APIs
        }).catch(e => {
          console.log(e);
        });
    }
  }

@kanteankit how are you using that jwt token to make calls to API. As I know the jwt tokens are only used to fetch a AWS credentials from your federated identity pool.

@powerful23 Thank you for the prompt response.
I think there is some confusion regarding which JWT tokens each of us is talking about.

When doing authentication via Auth.signIn & calling Auth.currentSession I get an object of CognitoUserSession which contains JWT . Now when making an API call I can get the JWT and set the header as follows:

 Auth.currentSession()
     .then((response) => {
         authToken =  response.idToken.jwtToken
         headers = { 
            'authorization': authToken
          } 
        // API call logic follows ....
 })

In case of federatedSignIn, I can't figure out how to get this kind of JWT token that can be passed in the header. I get a token from Facebook that I pass along to Auth.federatedSignIn as shown in my previous comment, but, then, what should I do to get an authentication token for making API calls?

Hi @kanteankit how are you configuring you Authorizers on API GW?

@elorzafe Sorry for a silly question, but, how does the configuration of my API gateway relate to getting a token after calling federatedSignIn?
Are you suggesting that the token received from Facebook should have been sufficient to make API calls?

No worries! Is not simple use facebook token directly on API gateway, I think you can use lambda as an Authorizer and validate the token with facebook. But you can use another option much easier if you are familiar with Amazon Cognito. (In case you dont you can take a look here

I suggest you to use awsmobile-cli you can restrict the access to your API for signed-in users and use facebook as an Auth provider. (awsmobile-cli will create auth role, IAM policies and your api for you).

Let me know how it goes

@elorzafe
As mentioned in my previous comments,I am familiar with Amazon Cognito and I am already using Auth.signIn for authenticating via email. That email authentication is creating a user in Cognito User Pool and giving me a JWT token that I can use in Authorization header.

The entire point of my question is how can I do a similar thing with Auth.federatedSignIn. After calling Auth.federatedSignIn, what should I do to get an Authorization token?

Note: I cannot use awsmobile-cli.

@kanteankit Your should get an Authorization token from your auth provider. Once you get that token you can do this.

var provider_url = 'my.auth-provider.com';
await Auth.federate(provider_url, { token: id_token });
var credentials = await Auth.currentUserCredentials();

@elorzafe Auth does not have a 'federate' method? I checked the source code for Auth in Amplify. There is only a federatedSignIn method, which @kanteankit has already done. Can you elaborate?

@elorzafe any update ?

@dnalbach @kanteankit the method is federatedSignin apologies for the confusion. The docs here explain what to do with the token, you send it to them method as an arg along with the provider:

return Auth.federatedSignIn(
        // Initiate federated sign-in with Google identity provider 
        'google',
        { 
            // the JWT token
            token: id_token, 
            // the expiration time
            expires_at 
        },
        // a user object with profile info from the provider (see docs)
        user
    ).then(() => {
        // ...
    });

@mlabieniec I am experiencing the same issue. You are still not getting what @kanteankit is saying.

We are talking about the JWTOKEN from Cognito. Not the one from the identity provider(eg. Facebook, Google.)

After using Auth.federatedSignIn it only returns the Cognito credentials Obj. So the question is, How do we get the JWTTOKEN from Cognito after the use of Auth.federatedSignIn?

@Jp3rd sorry for the confusion but with Auth.federatedSignIn you are only getting the credentials but not a Cognito User back so there is no JWT token from Cognito but only tokens from your federation providers.

https://github.com/aws/aws-amplify/wiki/FAQ#how-can-i-get-jwt-token-when-using-amplify-to-get-federated-users-login

@kanteankit
have you manage to make it work and get a token to call AWS services after doing, Auth.federatedSignIn ?

@eyalc4 I can with my current solution I'm using.

@Nickadiemus can you provide details as to how do you get access token for federated logins ?

@akash87 So with my current solution I am using the provided UI Hosting that Cognito Provides for you. I've configured a SAML SSO that redirects to an Authentication route in my application and then parses for the query string (JWT) that is passed through the URI. I then use federatedSignIn to Login paired with my FederatedID and the parsed JWT to sign in.

A flow of how this goes

1. User Loads my Application
2. User Redirects to Host UI & Signs In
3. If successful, a redirect to my /Auth route
4. Parses URI for JWT
5. Initiates Auth.federatedSignIn() with parsed Token

Thanks @nickadiemus, I thought you made it work without hosted UI, that's the main issue here. Looks like there is no way of getting AWS token without using hosted UI.

@akash87 Oh yeah sorry! That's the only work around I've gotten to work 🤕

I'm facing the exact same problem and, I have to say, I feel a little frustrated...

I expected signIn and federatedSignIn to to be only different ways to authenticate the user... I understand user and identity pools have different goals but at this point (as a developer), I just need a simple, unified way to authenticate users, be able to identify them (from the token, server-side) and use services.

PS: @mlabieniec, this issue was closed by inactivity but I think it should be reopened...

@flaviocordova I agree do agree.

I'm struggling with it, no way without hosted UI... I'm very frustrated!!

Hey guys we had a meeting with Cognito team and found out there is a way to use your own UI to sign in with the federated providers and create an user in your Cognito User Pool: https://github.com/aws-amplify/amplify-js/issues/1316

facing the same problem (logged in with Cognito Userpool) but after changed the amplify configuration from

Amplify.configure({
  Auth: {
    region: 'xx-xxxxx',
    identityPoolId: 'xx-xxxxxx',
    userPoolId: 'xx-xxxx',
    userPoolWebClientId: 'xxxxxxxxx',
    mandatorySignIn: false,
    storage: xxxxx,
  }
});

to

Amplify.configure({
  Auth: {
    region: 'xx-xxxxx',
    userPoolId: 'xx-xxxx',
    userPoolWebClientId: 'xxxxxxxxx',
    aws_appsync_authenticationType: 'AMAZON_COGNITO_USER_POOLS'
  }
});

then place it in your app’s entry point i.e. App.js,
currentSession() now worked

I notice there is a discrepancy with instructions in
https://aws-amplify.github.io/amplify-js/media/api_guide#manual-configuration,
which aws_appsync_XXXXX all directly belong to the object for Amplify.configure,
and for appsync subscription it states

When using AWS AppSync subscriptions, be sure that your AppSync configuration is at the root of the configuration object, instead of being under API:

This is very confusing

hey guys, i'm using the Auth.signIn() method which returns a CognitoUser object and among its properties, the signInUserSession has a value of null.

and when i ran await Auth.currentSession() i got 'No current user' as well.

if it helps, i'm following a tutorial and this is the step i'm currently on when i encountered this issue.

EDIT: i looked through the properties of the CognitoUser object again and found a property called session

Hi .. i have receive jwt token in case of fb login in react native but i have no idea what to do next . frist time user get from social login in aws but second time 403 error no current user . Please guide me . Thanks

@SajidNawaz993 did u find any solution ?

Far out, I can't believe this is still open with no real resolution. We have got up until federatedSignIn and now need JWT to access the Amplify GraphQL API. Have tried this with both Facebook login and a developer identity.

Can someone from AWS confirm that there is no other solution than to create a hosted UI?

@mayteio I'm sorry about the bad experience when using Auth.currentSession with federated sign in. We are currently working on to provide a standard way to get the session, user, credentials for both Cognito users and federated users. That should resolve the issue to get the JWT token when users logged in via federatedSignIn.

For now as a workaround you can directly get the federated token from the localStorage(web)/AsyncStorage(RN):

const token = JSON.parse(storage.getItem('aws-amplify-federatedInfo')).token;

Thanks @powerful23 though that does not help. It just passes me back the info I passed into the user argument of federatedSignIn(provider, response, user). No JWT in sight.

dont take it as 100% bullet proof, as i am not an AWS employee, this summary is only according to my experience with AWS cognito.
TL:DR

1. AWS Cognito documentation is bad, it is confusing regarding its components (user pool, identity pool), and miss-leading about what it can and can't do and how.
2. The cognito SDK, isn't sufficient, isn't well enough documents, and rarely have code examples - reference guide, isn't enough.
3. Its high cost, isn't its monthly usage, it’s the too much time, took too many developers, to figure out it doesn't answer their basic needs.
4. If you are looking for authentication solution, and want to write your own UI - it is probably isn't the solution for you – currently, hope they will chose to support it in future.

Cognito overview:

1. User pools – create users authentication records:
   a. Save user attributes
   b. Authenticate users with user and password
   c. Email / phone verification
   d. Access the user details from SDK
2. Federation identity (identity pools)
   a. Required in order to get temporary token, to access amazon resources (S3, Api gateway etc)
   b. It federate – i.e. gives temporary token, to users from external sources:
   i. User pools
   ii. Facebook App / Google App
   c. Identity record being created – in the (federated) identify pool, NOT in users pool, but you cannot
   get user details by token, credentials, or any other identity field.
   
   
   
   1. Cognito Buildin-UI enable you to have a flow of creating user in User pool, and get federation identity created when needed to access AWS services. The user can be created with both user & password or with Social services (fb, google etc)
      
      This UI, is the ONLY method, to create a user in the user pool, from social login.
   
   
   2. If you want to implement your own UI, you depends on the SDK, and can create user only with user & password, not through social login.
   
   
   3. The SDK is limited, and different from one language to another:
      
      a. you cannot create a user from social login
      
      b. you cannot create a user without a password
      
      c. you cannot fetch user information from Federated identity
      
      d. you can fetch user information from user pool, but this user exist only if you user user & password / you used the build-in UI to create it.
   
   

Recommendation:
1. If you are building a web-app, NOT a mobile app, and doesn’t need advanced user registration / login, the Built-in UI may be good enough for you, and you may benefit from Cognito full solution, having all your users in the user pool, and get the access from federated.
2. If you don’t need to have your own users, and just want to enable social users to get temporary access to AWS resources – you just need federated login.
3. If you don’t want to use the Build-in UI, and want a social login – you will not be able to use the cognito SDK to manage your users, and you will need to have your own solution for one unified users table + basic abilities, example of problematic use cases:
a. user registered with email + password, and later on, sign-in with facebook connect, you need to know it is the same user.
b. You want to have user id for each user.
c. You have a server side, that needs to know who is the currently logged in user, and you don’t want to make it integrate with multiple social services, but with a single users API.

@mayteio yes, so the federatedSignIn method only works with Cognito Federation Identity Pool to by passing the JWT token from third provider to get a temporary AWS credentials. If you want to do federation with Cognito User Pool and get a JWT token from it, you have to use Cognito Hosted UI.

@eyalc4 thanks for your feedback.

Please update your documents to reflect this AWS. Very frustrating.

Thanks @eyalc4 for that awesome experiential deep dive.

Would a solution be to;

1. on 3rd party login
2. check for username
3. if no username, create a user in user pool
4. email password to user

and do this in a Lambda? Or is that not possible?

If they log in again via 3rd party, only give them access again if they successfully get an authcode back from the oAuth flow?

I'm using cognito hosted UI and trying to authenticate to appsync. I followed these instructions: https://aws-amplify.github.io/docs/js/react#add-graphql-backend
With the same configuration, the only difference is that I have federated auth.
I also get a "No current user" error, even though the hosted cognito UI says I'm logged in (via google).
As a developer I'd expect once someone signs in via the cognito hosted UI, I'd be able to make appsync requests for my appsync service configured to permit via cognito. The fact someone is signed in via federated identity should not matter.

@revmischa how are you using the Cognito Hosted UI? Did you follow this doc to configure it in Auth? https://aws-amplify.github.io/docs/js/authentication#using-amazon-cognito-hosted-ui

I too have been hacking around here trying to find out a solution. Just to be clear, if I am using react-native + amplify, there is no way to have a user sign up with Facebook and have that user in my Cognito user pools? This is like the most basic use case, hard to believe it isn't supported.

@GenghisJuan you right, it is the most basic - except if u develop a website, and can use the hosted UI.
I was also sure that it had to be possible - and if I didn’t got it to work, I must have done something wrong, it took me 5 weeks to give up and share my lesson here in details to save other developers the frustration. (Scroll up if u missed it)
;) so feel free to waste your time, don’t forget to let us know how was it...

I am facing the same issue.
I use Facebook as provider for login, but i can't get a session after calling federatedSignIn.
There is not a way to get a user session (idToken, RefreshToken..) injected.

For federate signin & currentSession() to be working,

i would mean "jwt token(accessToken, idToken) & refreshToken returned from the call properly, so those session refresh etc would still be handled by aws-amplify and one can further call essentialCredentials() to call other create service instance later", like

    const result = await Auth.currentCredentials();
    const credentials = Auth.essentialCredentials(result);
    $logger.info(credentials);
    const s3 = new S3({
      credentials,
      region,
      // https://github.com/aws/aws-sdk-js/issues/902#issuecomment-184872976
      signatureVersion: 'v4'
    });

This is the full approach working for us: giving up approaches federatedSignIn() and UI componenet implementation that are based on hosted ui and craft corresponding oauth link for federated signin.
We implemented it for google federated sigin.

On signin page

    async signInWithGoogle() {
      const config = Auth.configure();
      const {
        domain,
        redirectSignIn,
        redirectSignOut,
        responseType,
        scope
      } = config.oauth;
      const clientId = config.userPoolWebClientId;
      const url = `https://${domain}/oauth2/authorize?identity_provider=Google&redirect_uri=${redirectSignIn}&response_type=${responseType}&client_id=${clientId}`;
      window.location.assign(url);
    }

On the oauth returnUrl, do parsing according to the workaround mentioned in
https://github.com/aws-amplify/amplify-js/issues/1316#issuecomment-409290894

  authClient.userhandler = {
    onFailure: err => {
      // ? NOTE: This is still necessary, would be called once before the response ready to be parsed.
      $logger.info('userhandler onFailure');
      $logger.info('Error in cognito hosted auth response', err);
    },
    onSuccess: result => {
      $logger.info('userhandler onSuccess');
      Auth.currentSession().then(async data => {
        const userInfo = await Auth.currentUserInfo();
        $logger.info(userInfo);
        // ? NOTE: Remove the param of intermediate exchange code in url even though it is for 1-time-use.
        // This stops entering the flow again.
        app.router.replace('/dashboard/');
      });
    }
  };
  const codeForExchangeToken = new URL(curUrl).searchParams.get('code');
  if (codeForExchangeToken) {
    $logger.info(`Exchange code: ${codeForExchangeToken}`);
    authClient.parseCognitoWebResponse(curUrl);
  } else {
    Auth.currentSession().catch(err => {
      // ? NOTE: onReady event is needed to make it works here
      app.router.onReady(event => {
        app.router.replace('/user/signIn/');
      });
    });
  }

I'm facing this same problem using Auth.federatedSigin with google sign in. Auth.currentCredentials returns an object that can not be used to access resources on AWS

@abiodunjames can you provide more details? Did you have the right IAM policy for your auth role in the Cognito Federated Identity Pool? You can also turn on the debug mode by window.LOG_LEVEL='DEBUG'

I'm experiencing the same issue. To clear this up when you create an API and add an Authenticator to it, it expects a Token to prove that the user accessing the API came from cognito, i.e. it is safe to provide access.

When you call Auth.currentSession() after a cognito user pool login you are given the following response
CognitoUserSession {idToken: CognitoIdToken, refreshToken: CognitoRefreshToken, accessToken: CognitoAccessToken, clockDrift: 0} accessToken: CognitoAccessToken {jwtToken: "xxxxxxx", payload: {…}} clockDrift: 0 idToken: CognitoIdToken jwtToken: ****[THIS IS USED FOR API CALLS]**** payload: xxxx __proto__: CognitoJwtToken refreshToken: CognitoRefreshToken {token: "xxxxxxxx"} __proto__: Object

The idToken->jwtToken is the token needed to authorize API calls.

When Auth.currentSession() is called after a federated sign in, the following is returned :
no current user.

How can we get a valid jwt token from a federated sign-in user?

Has there been any updates?

having the same problem

This is what I eventually did and I was able to access aws resources using Google federated identity

 const profile = googleUser.getBasicProfile(); // etc etc

      let user = {
        name: profile.getName(),
        email: profile.getEmail()
      };
      let auth = googleUser.getAuthResponse();
      const {
        expres_in,
        idpId,
        id_token // Optional, the identity id specified by the provider
      } = auth;
      Auth.federatedSignIn(
        idpId,
        {
          id_token,
          expires_at: expres_in + new Date().getTime()
        },
        user
      )
        .then(cred => {
console.log(cred);
          return Auth.currentAuthenticatedUser();
        })
        .then(user => {
       console.log(user)
        })
        .catch(e => {
          console.log(e);
        });

@abiodunjames Can you elaborate? Are you calling aws services directly with v4 signing? This still shouldn't work to create an Authorization header capable of being used with Cognito authorizers between ApiGateway and Lambda.

Hopefully this will help some other poor souls. We are using cognito pools and I had to change my awsconfiguration.json. When amplify generated it it looked like this:

{
    "UserAgent": "aws-amplify-cli/0.1.0",
    "Version": "1.0",
    "IdentityManager": {
        "Default": {}
    },
    "AppSync": {
        "Default": {
        "ApiUrl": "https://nuiqzh65tfjksd4lajfie5ff2i.appsync-api.us-east-1.amazonaws.com/graphql",
        "Region": "us-east-1",
        "AuthMode": "AMAZON_COGNITO_USER_POOLS",
        "ApiKey": "da2-75qmsylif5ew5h5zyrcl6p4hdy"
        }
    }
} 

I needed to manually add CredentialsProvider and CognitoUserPool so the new config looks like so:

{
  "UserAgent": "aws-amplify-cli/0.1.0",
  "Version": "1.0",
  "IdentityManager": {
    "Default": {}
  },
  "AppSync": {
    "Default": {
        "ApiUrl": "https://nuiqzh65tfjksd4lajfie5ff2i.appsync-api.us-east-1.amazonaws.com/graphql",
        "Region": "us-east-1",
        "AuthMode": "AMAZON_COGNITO_USER_POOLS",
        "ApiKey": "da2-75qmsylif5ew5h5zyrcl6p4hdy"
    }
  },
  "CredentialsProvider": {
    "CognitoIdentity": {
      "Default": {
        "PoolId": "us-east-1:8e535f8d-9a88-556a-88dd-1a23da7dd987",
        "Region": "us-east-1"
      }
    }
  },
  "CognitoUserPool": {
    "Default": {
      "PoolId": "us-east-1_gsdsBZ0zk",
      "AppClientId": "1f5kj2l3fhjkl2u8f7i2ijfdskl2hsnt89r62",
      "AppClientSecret": "s2kieg3afli2ufh2fo8su45hf4ka5naqvcd85559j5",
      "Region": "us-east-1"
    }
  }
}

(all data has been obfuscated)

I got the same error while using the Authenticator from aws-amplify-react, after logging in with facebook Auth.currentSession() returned No current user.

But if I use Auth.federatedSignIn(), Auth.currentSession() returns an access token that I can use. And I can skip displaying the hosted UI by naming a provider as a parameter Auth.federatedSignIn({provider: 'Facebook'})

So do not use the facebook sign in button on the <Authenticator /> component if you want an access token. Do use the Auth.federatedSign({provider: 'provider-name'}) to get an access token and skip the UI.

Here are some sample code, replace the variables for your user pool with your own:

import React from "react";
import Amplify, { Auth, Hub } from "aws-amplify";

Amplify.configure({
  Auth: {
    region: "eu-central-1",
    userPoolId: "eu-central-1_xxxxx",
    userPoolWebClientId: "xxxxxxxxx"
  }
});

const oauth = {
  domain: "your_domain.auth.eu-central-1.amazoncognito.com",
  scope: ["email", "profile"],
  redirectSignIn: "http://localhost:3000",
  redirectSignOut: "http://localhost:3000",
  responseType: "code"
};

Auth.configure({ oauth });

class App extends React.Component {
  state = {
    session: null
  };

  constructor() {
    super();
    Hub.listen("auth", ({ payload: { event, data } }) => {
      switch (event) {
        case "signIn":
          console.log("Sign in");
          this.setSession();
          break;
        case "signOut":
          console.log("Sign out");
          break;
        default:
          break;
      }
    });
  }

  setSession = async () => {
    const session = await Auth.currentSession();
    this.setState({ session });
  };

  render() {
    const { session } = this.state;

    return (
      <div className="App">
        <button onClick={() => Auth.federatedSignIn({ provider: "Facebook" })}>
          Facebook
        </button>
        <button onClick={() => Auth.federatedSignIn()}>Open Hosted UI</
        <p>{JSON.stringify(session)}</p>
      </div>
    );
  }
}

export default App;

Sad to see that this issue was not addressed yet. Still no way to use graphQl in a unified way while using federated.signIn.

When calling Auth.currentSession() I was receiving a No current user response. In my case the reason this was happening was that I created a new user from the console and even though I check the box to "Mark email as verified?" the account status was FORCE_CHANGE_PASSWORD. A verified user will have a status of CONFIRMED. You can do this with a test user in AWS CLI

aws cognito-idp admin-confirm-sign-up \
   --region YOUR_COGNITO_REGION \
   --user-pool-id YOUR_COGNITO_USER_POOL_ID \
   --username YOUR_USER_EMAIL

Can we please reopen this issue? It's still definitely relevant given comments in this thread.

Why is this still a bug? This is a pretty severe issue for all 3rd party auths...

Any updates on this issue?

When calling Auth.currentSession() I was receiving a No current user response. In my case the reason this was happening was that I created a new user from the console and even though I check the box to "Mark email as verified?" the account status was FORCE_CHANGE_PASSWORD. A verified user will have a status of CONFIRMED. You can do this with a test user in AWS CLI

aws cognito-idp admin-confirm-sign-up \
   --region YOUR_COGNITO_REGION \
   --user-pool-id YOUR_COGNITO_USER_POOL_ID \
   --username YOUR_USER_EMAIL

That's exactly what was happening in my case. I was able to get Auth.currentSession() to actually return a user that was signed in by deleting the user and re-registering them to get a new email verification link. Once that email was confirmed, Auth.currentSession() gave me the current user as expected.

Still no way to use graphQl resource while using federated.signIn, I keep getting no current user, FYI am doing this in react native and i am not using hosted UI.

Are there any updates on this, please? Thanks

Why is this issue closed? We are facing the same problem right now – can't use graphQL resource with federated signin

I'm also experiencing issues with this in a production enviroment. Are there any updates?

Facing the same issue:

I've created my own identity pool in cognito. For the server/client auth workflow I followed this documentation:

https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html

https://docs.amplify.aws/lib/auth/advanced/q/platform/js#identity-pool-federation

Server side code to create the token/identityId:

  var params = {
    IdentityPoolId: 'us-east-1:MY_ID_POOL',
    IdentityId: null,
    Logins: {
      'mycomp.es': jwttoken
    },
    TokenDuration: '86400'
  };

  var cognitoidentity = new AWS.CognitoIdentity();
  const logres = cognitoidentity.getOpenIdTokenForDeveloperIdentity(params, function (err, data) {
    if (err) console.log(err, err.stack); // an error occurred
    else console.log(data);           // successful response
  });

The result:

{
  IdentityId: 'us-east-1:IDENTITY_ID',
  Token: 'eyJra.... rest of the token'
}

With the Client side code, I was able to create the credentials:

        const domain = 'cognito-identity.amazonaws.com';
        const federatedUser = {
            name: 'the_user',
            email: '[email protected]'
        };

        Auth.federatedSignIn(
            domain,
            {
                token: tokenResponse.Token, // this is the token generated
                identity_id: tokenResponse.IdentityId, // this is the identiy Id
                expires_at: 50 * 1000 + new Date().getTime() // the expiration timestamp
            },
            federatedUser
        ).then(cred => {
            // If success, you will get the AWS credentials
            console.log(cred);
            return Auth.currentAuthenticatedUser();
        }).then(user => {
            // If success, the user object you passed in Auth.federatedSignIn
            console.log("success", user);
            fetch();
        }).catch(e => {
            console.log(e)
        });

This returns no error, and the objects created seems correct:

Credentials:

{
  "accessKeyId": "xxx",
  "secretAccessKey": "yyy",
  "sessionToken": "zzz",
  "expiration": "2020-08-22T09:36:14.000Z",
  "authenticated": true
}

User:

{
  "name": "the_user",
  "email": "[email protected]"
}

But despite that I cannot access to any AWS resources yet, like graphql. I keep getting the following error:

No current user

Sad to see this issue closed.

Why is this issue closed? Has the problem been rectified? If not the issue should stay open.

How to get Cognito Tokens when Authenticating with Social Providers

1. You need to Setup your Auth Provider with Cognito User Pools. More info here
2. On your App you have to call Auth.federatedSignIn in this way
   
   
   
   1. Auth.federatedSignIn() this will open Cognito Hosted UI Web App.
   
   
   2. In case you want to skip Cognito Hosted UI you can invoke from your App
      
      
      
      
      
      1. Auth.federatedSignIn({provider: 'Facebook'})
      
      
      
      2. Auth.federatedSignIn({provider: 'Google'})
      
      
      
      3. Auth.federatedSignIn({provider: 'LoginWithAmazon'})
      
      
      
      4. Auth.federatedSignIn({provider: 'SignInWithApple'})
      
      
      
   
   

Then you will have a user on your userpool and Cognito tokens on your App.

Note
If you get a token from your Authentication Provider and then use

Auth.federatedSignIn(
    domain,
    {
        token,
        identity_id, // Optional
        expires_at: expiresIn * 1000 + new Date().getTime() // the expiration timestamp
    },
    user
)

You wont be able to get a Cognito Tokens and you will No current user error.