Amplify-js: Cannot sign in after calling Auth.completeNewPassword

Created on 4 Apr 2018 · 17Comments · Source: aws-amplify/amplify-js

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

Call to Auth.completeNewPassword catches error "signin failed" with no other information.
Subsequent signin attempt calling Auth.signin catches error "signin failed" with no other information.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem. Your bug will get fixed much faster if we can run your code and it doesn't have dependencies other than AWS Amplify.

Steps:

Created user in my AWS user pool with temp password.
Used the username and password on the LoginPage.
Stored the User object returned on Redux reducer state.
Route transition to the ChangePassword component when the challengeName is 'NEW_PASSWORD_REQUIRED' .
Get User object off of the Redux reducer state.
Call the Auth.completeNewPassword with userObject, new user password and user object challengeParam required attributes.
Request succeeds with Access Token.
Check the user status in the AWS user pool. Status is changed from FORCE_CHANGE_PASSWORD to CONFIRMED but signin fails.

Imports for my login page component.

import Amplify, { Auth } from 'aws-amplify';
import awsConfig from './aws-exports.js';
import { setSessionDetails } from './sessionActions.js';

Amplify.configure(awsConfig);

This is the submit callback function in my LoginPage component.

  _onSubmit() {
    const { dispatch } = this.props;
    Auth.signIn(this._userName.value, this._password.value)
      .then(loginInfo => {
        console.log(loginInfo);
        if (loginInfo.challengeName === 'NEW_PASSWORD_REQUIRED') {
          dispatch(
            setSessionDetails({
              userObject: loginInfo,
            })
          );
          this.props.history.push('./changePassword');
        } else {
          dispatch(
            setSessionDetails({
              sessionToken: loginInfo.Session,
              userName: loginInfo.username,
              userObject: loginInfo,
              isAuthenticated: true,
            })
          );
        }
      })
      .catch(err => console.error(err));
  }

This is the submit callback function in my ChangePassword component.

  _onSubmit() {
    const { dispatch } = this.props;
    const { userObject } = this.props.sessionReducer;
    if (this._passwordConfirm.value === this._password.value) {
      Auth.completeNewPassword(
        userObject,
        this._password.value,
        userObject.challengeParam.requiredAttributes
      )
        .then(user => {
          console.log(user);
        })
        .catch(err => console.log(err));
    }
  }

What is the expected behavior?

Expect sign in to succeed after password change.

Which versions of Amplify, and which browser / OS are affected by this issue? Did this work in previous versions?

"aws-amplify": "0.2.14"
Browser: Google Chrome Version 65.0.3325.181

Auth investigating

Source

n-9891-b

Most helpful comment

This issue occurs from Amplify version 0.2.12 onwards.
Downgrading back to 0.2.11 resolves it for now.

MikaelSvenn on 13 Apr 2018

👍4

All 17 comments

@n-9891-b can you turn on the debug mode to check the details. I guess it is caused because it fails to get the cognito credentials when signing in. Also could you check the http requests?

powerful23 on 4 Apr 2018

@powerful23 I turned on debug mode and get the following. I does appear that it is not getting the cognito credentials.

[DEBUG] 39:21.734 AuthClass - Failed to load credentials: CognitoIdentityCredentials
[DEBUG] 39:21.734 AuthClass - cannot get cognito credentials

200 HTTP post request. Here is what the response looks like:

{  
   "AuthenticationResult":{  
      "AccessToken":"xxxxx",
      "ExpiresIn": 3600,
      "IdToken": "xxxxx",
      "RefreshToken":"xxxxx",
      "TokenType":"Bearer"
   },
   "ChallengeParameters": { }
}

Not sure what I'm doing wrong here.

n-9891-b on 4 Apr 2018

@n-9891-b can you check those http requests which hit the endpoint cognito-identity.your-aws-region.amazonaws.com which should return a credentials to you

powerful23 on 4 Apr 2018

@powerful23 Not sure which one you are referring to. No endpoints hit cognito-identity.your-aws-region.amazonaws.com they only hit https://cognito-idp.us-east-2.amazonaws.com/ The first two request occur after calling Auth.signin:

https://cognito-idp.us-east-2.amazonaws.com/

Response is:

{  
   "ChallengeName": "PASSWORD_VERIFIER",
   "ChallengeParameters": {  
      "SALT": "xxxx",
      "SECRET_BLOCK": "xxxx",
      "SRP_B": "xxxx",
      "USERNAME": "nblain",
      "USER_ID_FOR_SRP": "nblain"
   }
}

https://cognito-idp.us-east-2.amazonaws.com/

Response is:

{  
   "ChallengeName": "NEW_PASSWORD_REQUIRED",
   "ChallengeParameters": {  
      "requiredAttributes": "[]",
      "userAttributes": "{\"email_verified\":\"true\",\"email\":\"[email protected]\"}"
   },
   "Session": "xxxx"
}

The third request is called after calling Auth.completeNewPassword:

https://cognito-idp.us-east-2.amazonaws.com/

Response is:

{  
   "AuthenticationResult": {  
      "AccessToken": "xxxx",
      "ExpiresIn": 3600,
      "IdToken": "xxxx",
      "RefreshToken": "xxxx",
      "TokenType": "Bearer"
   },
   "ChallengeParameters": { }
}

Following this last request I get the "signin failed" error in the chained catch.

n-9891-b on 4 Apr 2018

@n-9891-b That's weird. That http request is to load the aws credentials into the library here. Can you try the Authenticator from aws-amplify-react to see if it works for you?

powerful23 on 4 Apr 2018

@powerful23 I will try with the Authenticator. Is there a problem with the way I am passing the returned user object from Auth.signin directly into Auth.completeNewPassword?

The following worked for me, but I would much prefer to use the less verbose version that I have been trying.

import {
  AuthenticationDetails,
  CognitoUserPool,
  CognitoUser,
} from 'amazon-cognito-identity-js';

    const authenticationData = {
      Username: 'n-9891-b',
      Password: 'xxxx',
    };

    const authenticationDetails = new AuthenticationDetails(authenticationData);
    const poolData = {
      UserPoolId: 'us-east-2_xxxx',
      ClientId: 'xxxx',
    };
    const userPool = new CognitoUserPool(poolData);
    const userData = {
      Username: 'n-9891-b',
      Pool: userPool,
    };
    const cognitoUser = new CognitoUser(userData);

    console.log(cognitoUser);

    cognitoUser.authenticateUser(authenticationDetails, {
      onSuccess: function(result) {
        console.log('access token + ' + result.getAccessToken().getJwtToken());
      },

      onFailure: function(err) {
        console.log(err);
      },

      newPasswordRequired: function(userAttributes, requiredAttributes) {
        // first-time user needs to create new password to complete the whole authentication process
        console.info(
          'this.newPasswordNotification() ' +
            JSON.stringify(userAttributes) +
            ' ' +
            JSON.stringify(requiredAttributes)
        );

        cognitoUser.completeNewPasswordChallenge(
          'xxxx',
          requiredAttributes,
          this
        );
      },
    });

n-9891-b on 4 Apr 2018

@n-9891-b The authentication process looks good for me. The problem is that you are not getting the correct AWS credentials with the jwt Token you get from Cognito. I also feel weird why the app didn't hit that endpoint as it should do.

powerful23 on 4 Apr 2018

@n-9891-b @powerful23 I am seeing this {[WARN] 49:04.613 API - ensure credentials error: "Failed to load creadentials"} just now - Yesterday it was still working and now without any changes to my code or infrastructure it gives me this warning.

EDIT
my problem might or might not be unrelated - I digged into the network responses and see the cause for my particular problem is most likely coming from x-amzn-errormessage: The ambiguous role mapping rules for: cognito-idp.us-east-1.amazonaws.com/us-east-1_zObuaFqk5 denied this request.

BerndWessels on 5 Apr 2018

@BerndWessels can you try reload and see if this happens again? Seems like something with your authenticated role setting in the Cognito identity pool. Check this doc

powerful23 on 5 Apr 2018

@powerful23 tried with the Authenticator with the same failed result. The only way that works for me is with the amazon-cognito-identity-js package.

n-9891-b on 5 Apr 2018

@n-9891-b Still the issue is that you didn't hit the endpoint cognito-identity.your-aws-region.amazonaws.com which is to get the AWS credentials for you. Your authentication flow is correct and do get the jwt token back. The problem is that for now Amplify will ensure the user to get the credentials before change the state to signin or it will just tell you signin fails. So if you can provide any clue about why it's not hitting that endpoint or it does but can't get the correct response that will help a lot.
For example:

screen shot 2018-04-05 at 2 01 49 pm

powerful23 on 5 Apr 2018

I'm facing the same issue and is there any new update on this issue.

rmit-s3613862-Anushka-Kalinga on 9 Apr 2018

I'm having the same issue. Login works correctly when running the app from my local machine on localhost, but fails in production over https.

On my local machine, the login network calls proceed as follows:

X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge
X-Amz-Target: AWSCognitoIdentityService.GetId
X-Amz-Target: AWSCognitoIdentityService.GetCredentialsForIdentity

with the following DEBUG info:

{[DEBUG] 55:04.32 AuthClass: CognitoUserSession}
ConsoleLogger.js:84 [DEBUG] 55:04.33 AuthClass - set credentials from session
ConsoleLogger.js:100 {[DEBUG] 55:04.462 AuthClass - Load credentials successfully: CognitoIdentityCredentials}
ConsoleLogger.js:84 [DEBUG] 55:04.464 AuthClass - picking up credentials
ConsoleLogger.js:84 [DEBUG] 55:04.465 AuthClass - getting new cred promise
ConsoleLogger.js:100 {[DEBUG] 55:04.466 AuthClass - is this credentials expired?: CognitoIdentityCredentials}
ConsoleLogger.js:84 [DEBUG] 55:04.467 AuthClass - not changed, directly return credentials

On production, I only get:

X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge

with the following DEBUG info:

{[DEBUG] 59:23.712 AuthClass: e}[DEBUG] 59:23.712 AuthClass: e {idToken: t, refreshToken: e, accessToken: t, clockDrift: 0}__proto__: Object
main.6b79107651de27990273.js:166 [DEBUG] 59:23.713 AuthClass - set credentials from session
main.6b79107651de27990273.js:166 [DEBUG] 59:23.714 AuthClass - cannot get cognito credentials

baseten on 9 Apr 2018

I stumbled across this thread because I was also getting a generic "signin failed" message from the AWS Amplify call to Auth.signIn(...).

Not sure if this will help anyone else, but _my_ problem was:

My User Pool had 2 AppClientIds (one for iOS, one for Javascript)
but my Identity Pool was only linked to one of them.

This meant I was getting a token back, but it was failing validation and giving the response signin failed.

hardingmatt on 13 Apr 2018

This issue occurs from Amplify version 0.2.12 onwards.
Downgrading back to 0.2.11 resolves it for now.

MikaelSvenn on 13 Apr 2018

👍4

@hardingmatt I've also seen this issue when the IdentityPool was incorrectly configured.

In my case though @MikaelSvenn is correct, it seems to be a problem from 0.2.12

baseten on 13 Apr 2018

In my case also @MikaelSvenn is correct and now login work correctly.

rmit-s3613862-Anushka-Kalinga on 14 Apr 2018

Was this page helpful?

0 / 5 - 0 ratings

Related issues

how to show percentage of uploading when using Storage.put to upload file to S3?

simon998yang · 3Comments

required field attribute is not properly implemented in Vue SignUp component

lucasmike · 3Comments

Amplify PubSub not compatible with Amplify API GraphQL / Appsync

leantide · 3Comments

Amplify and Redux?

rygo6 · 3Comments

react-native PushNotification.onRegister called twice on Android

ddemoll · 3Comments