Amplify-js: oauth scope settings for Amplify.configure not respected for Auth.signIn
The oauth settings follows
https://aws-amplify.github.io/amplify-js/media/authentication_guide.html#configuring-the-hosted-ui
in calling Amplify.configure.
After Auth.signIn succeeds, try to run
Auth.currentSession().then((data) => {
console.log(`Result scope = ${data.accessToken.payload.scope}`);
});
to verify it is always 'Result scope = aws.cognito.signin.user.admin'
So it means access_token was granted disrespecting the scopes specified for Amplify.configure.
other settings specified just work fine.
juno-yu
All 12 comments
I think this might be related to #1884. Same issue, I'm having. But I'm not using the hosted UI. If you're using the hosted UI, I think you have to pass the scopes into the URL that you create. The documentation doesn't mention this, but if you look at the example you see this line.
const url = 'https://' + domain + '/login?redirect_uri=' + redirectSignIn + '&response_type=' + responseType + '&client_id=' + clientId;
You need to add in the scope list to it like this.
const url = 'https://' + domain + '/login?redirect_uri=' + redirectSignIn + '&response_type=' + responseType + '&client_id=' + clientId + '&scope=' + scope;
You'll need to get scope from the Auth.configure, that you already added. You might need to seperate each scope by spaces not commas, not sure.
This still doesn't solve what to do when you're not using the hosted UI though... which is the problem I'm having. The library just assumes one scope, the admin one. It doesn't look at the custom scopes you've created.
ErikCH
on 31 Oct 2018
I'm having this issue as well.
I've set up Amplify.configure() correctly but Auth.signIn() isn't respecting the custom scopes. The returned JWT token has the scope overridden to aws.cognito.signin.user.admin.
Based on ErikCH's advice, I was able to fix our federated login by adding &scope={scope} to the custom URL. But the manual user logins are still broken. :worried:
johndoto
on 1 Nov 2018
@johndoto Have same issue here.
Ideally we don't want to use the hosted ui just to get custom scopes.
Is this a bug or will this be added in the future?
nishtjak-github
on 22 Nov 2018
I'm also experiencing this issue, where my accessToken from the HostedUI contains the custom scope, but using the React components UI I get nothing but aws.cognito.signin.user.admin
This is hugely restricting, surely this is either something plaguing everyone in which case how isn't is spoke of more, or more hopefully those of us affected are just doing / configuring something incorrectly.
Any help / suggestions greatly appreciated!
chrisella
on 13 Jan 2019
It appears that specifying the requested scopes are not yet configurable: https://github.com/aws-amplify/amplify-js/blob/4644b432/packages/auth/src/Auth.ts#L133
Though the same Auth.ts is used to configure the Hosted UI scopes.
So maybe that just needs to be modified to allow overriding of the requested scopes for the non-hosted configuration?
jeffsheets
on 15 Mar 2019
It is my understanding that hosted UI uses OAth flow and the Auth.signIn() does not. scope makes sense as part of OAuth 2. To use non-hosted UI, your app client is set up without a client secret. To configure scopes for your app client, you need to enable OAuth and that requires either a call back URL or a client secret for the credentials flow.
With that said, I think it's not the Amplify per se but the Cognito service itself that defaults scope to aws.cognito.signin.user.admin in the absence of configured OAuth scopes.
I agree that it would be nice if the non-OAuth Auth.signIn() flow supported declared scopes and sent them back in the access_token.
pveller
on 25 Mar 2019
Any news on that? We need custom scopes also in the SRP auth flow (no standard OAuth2 Flow)
reste85
on 9 Apr 2019
@reste85 @juno-yu @ErikCH @johndoto @nishtjak-github @chrisella @jeffsheets @pveller -
Quite a bit of work was done on our OAuth flow in a recent release a couple of weeks ago, and I believe that this should be fixed. Please try the latest version of amplify, and if you continue having problems please feel free to open a new issue. I'm closing this one for now. Thanks.
haverchuck
on 26 Apr 2019
If you just want to get additinal info from OAuth, you have to map properties (like name, picture) from Cognito Settings (Federation attribution mapping).
like this (add name and picture settings)
And you can get these values from user.attributes.
Auth.currentAuthenticatedUser()
.then(user => {
console.log(user.attributes.picture)
})
.catch(err => console.log(err));
yareyaredesuyo
on 5 May 2019
This still does not appear to be resolved. Specifying requested scopes in Amplify and Auth configs appears to have no effect.
ajross
on 2 Jul 2019
@haverchuck, this issue is still not solved. Please refer to #3732
hanslai
on 25 Jul 2019
Amplify is an open source library that allows customers to interact with Cloud Services such as Amazon Cognito.
Amazon Cognito provides a mechanism to get different scopes on the access token. This mechanism is only supported on OAuth flow using Cognito HostedUI. We’ve communicated the feedback to the Cognito team for their backlog, but I would also encourage you to open a case through your support channels to provide direct feedback outside of the GitHub forums.
elorzafe
on 13 Jun 2020
Related issues
lucasmike
·
3Comments
karlmosenbacher
·
3Comments
shinnapatthesix
·
3Comments
benevolentprof
·
3Comments
simon998yang
·
3Comments
Most helpful comment
This still does not appear to be resolved. Specifying requested scopes in Amplify and Auth configs appears to have no effect.