Amplify-js: Credentials immediately removed from localstorage after successful login with Hosted UI

Created on 23 Aug 2018  路  8Comments  路  Source: aws-amplify/amplify-js

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

Setup:

  • Cognito User Pool with federated users from azuread.
  • Simpl React app using withOAuth and Authenticator

With the following configuration:

Amplify.configure({
  API: {
...
  Auth: {
    region: 'eu-west-1',
    userPoolId: 'eu-west-POOL_ID',
    userPoolWebClientId: 'ClientID',
    oauth: {
      domain: 'blablabla.auth.eu-west-1.amazoncognito.com',
      scope : ['email', 'profile', 'openid'], 
      redirectSignIn : 'http://localhost:3000', 
      redirectSignOut : 'http://localhost:3000',
      responseType: 'token',
    },
  }
});
The login flow goes as follow:

Call OAuthSignIn() 鉃★笍 Redirected to Cognito login page 鉃★笍 Select the provider 鉃★笍 Redirected to the provider Login Page 鉃★笍 Login with my credentials 鉃★笍 Redirected to http://localhost:3000/#access_token=ACCES_TOKEN=ID_TOKEN&token_type=Bearer&expires_in=3600

The Problem

When redirected with a working token (I tested it against my API) the SDK clear() the credentials in localstorage and redirect to http://localhost:3000.

#### The weird thing
If I remove the userPoolId from configuration and Call OAuthSignIn() again the credentials are not erased anymore however the Authenticator doesn't log me in since userPoolId is not in the configuration anymore.

#### The other weird thing
If I put userPoolId back in the configuration with a filled localstorage I'm logged in.

What is the expected behavior?

SDK Should not signOut after successful OAuth login.

Which versions of Amplify, and which browser / OS are affected by this issue? Did this work in previous versions?

  • "aws-amplify": "^1.0.6"
  • "aws-amplify-react": "^1.0.6"

Issues #392, #1395, #1426 report similar issues related to hosted UI authentication and OAuth

Auth bug
Source
picture theGlenn

Most helpful comment

@theGlenn the bug has been confirmed, will work on to fix it.

picture powerful23 on 5 Sep 2018
🎉3

All 8 comments

@theGlenn can you provide the debug log so we can know what's happening in the library? By putting window.LOG_LEVEL='DEBUG' in your app.

powerful23 picture powerful23 on 23 Aug 2018

Hi @powerful23 here is the stack trace from the moment I'm redirected to the login page.

{[DEBUG] 55:21.336 Amplify - amplify config: {鈥}
ConsoleLogger.js:84 [DEBUG] 55:21.339 I18n - configure I18n
ConsoleLogger.js:84 [DEBUG] 55:21.339 I18n - create I18n instance
ConsoleLogger.js:84 [DEBUG] 55:21.339 AnalyticsClass - configure Analytics
ConsoleLogger.js:100 {[DEBUG] 55:21.339 Parser - parse config: Array(3)}
ConsoleLogger.js:100 {[DEBUG] 55:21.342 AWSPinpointProvider - configure Analytics: {鈥}
ConsoleLogger.js:100 {[DEBUG] 55:21.343 Analytics - on hub capsule analytics: {鈥}
ConsoleLogger.js:100 {[DEBUG] 55:21.343 AnalyticsClass - current configuration: {鈥}
ConsoleLogger.js:84 [DEBUG] 55:21.343 AuthClass - configure Auth
ConsoleLogger.js:100 {[DEBUG] 55:21.344 Parser - parse config: Array(3)}
ConsoleLogger.js:100 {[DEBUG] 55:21.345 AuthClass - cognito auth params: {鈥}
ConsoleLogger.js:84 [DEBUG] 55:21.347 AuthClass - getting current authenticted user
ConsoleLogger.js:84 [DEBUG] 55:21.347 AuthClass - cannot load federated user from auth storage
ConsoleLogger.js:84 [DEBUG] 55:21.348 AuthClass - get current authenticated userpool user
ConsoleLogger.js:100 {[DEBUG] 55:21.349 Analytics - on hub capsule auth: {鈥}
ConsoleLogger.js:84 [DEBUG] 55:21.350 AnalyticsClass - configure Analytics
ConsoleLogger.js:84 [DEBUG] 55:21.351 Credentials - getting credentials
ConsoleLogger.js:84 [DEBUG] 55:21.352 Credentials - picking up credentials
ConsoleLogger.js:84 [DEBUG] 55:21.352 Credentials - getting new cred promise
ConsoleLogger.js:84 [DEBUG] 55:21.353 Credentials - checking if credentials exists and not expired
ConsoleLogger.js:84 [DEBUG] 55:21.354 Credentials - need to get a new credential or refresh the existing one
ConsoleLogger.js:84 [DEBUG] 55:21.355 AuthClass - Getting current user credentials
ConsoleLogger.js:84 [DEBUG] 55:21.355 AuthClass - Getting current session
ConsoleLogger.js:84 [DEBUG] 55:21.357 Storage - configure called
ConsoleLogger.js:84 [DEBUG] 55:21.357 StorageClass - configure Storage
ConsoleLogger.js:84 [DEBUG] 55:21.357 StorageClass - Do not have bucket yet
ConsoleLogger.js:84 [DEBUG] 55:21.357 StorageClass - configure Storage
ConsoleLogger.js:84 [DEBUG] 55:21.358 StorageClass - Do not have bucket yet
ConsoleLogger.js:100 {[DEBUG] 55:21.358 API - configure API: {鈥}
ConsoleLogger.js:84 [DEBUG] 55:21.359 API - create API instance
ConsoleLogger.js:100 {[DEBUG] 55:21.359 RestClient - API Options: {鈥}
ConsoleLogger.js:100 {[DEBUG] 55:21.360 PubSub - configure PubSub: {鈥}
ConsoleLogger.js:100 {[DEBUG] 55:21.360 Interactions - configure Interactions: {鈥}
ConsoleLogger.js:84 [DEBUG] 55:21.372 Hub - noname listening auth
index.js:2178 Warning: Invalid attribute name: `0`
index.js:2178 Warning: Invalid attribute name: `1`
ConsoleLogger.js:84 [DEBUG] 55:21.406 AuthClass - getting current authenticted user
ConsoleLogger.js:84 [DEBUG] 55:21.407 AuthClass - cannot load federated user from auth storage
ConsoleLogger.js:84 [DEBUG] 55:21.408 AuthClass - get current authenticated userpool user
ConsoleLogger.js:84 [DEBUG] 55:21.429 RestClient - GET https://azeaaxea.execute-api.eu-west-1.amazonaws.com/default/catalog?filters=[]
ConsoleLogger.js:84 [DEBUG] 55:21.472 Credentials - getting credentials
ConsoleLogger.js:84 [DEBUG] 55:21.473 Credentials - picking up credentials
ConsoleLogger.js:84 [DEBUG] 55:21.474 Credentials - getting old cred promise
ConsoleLogger.js:84 [DEBUG] 55:21.474 Hub - noname listening auth
ConsoleLogger.js:84 [DEBUG] 55:21.480 AuthClass - Failed to get user from user pool
ConsoleLogger.js:84 [DEBUG] 55:21.481 AuthClass - Failed to get user from user pool
ConsoleLogger.js:84 [DEBUG] 55:21.481 AuthClass - Failed to get user from user pool
ConsoleLogger.js:100 {[DEBUG] 55:21.482 AuthClass - The user is not authenticated by the error: "No current user"}
ConsoleLogger.js:100 {[DEBUG] 55:21.483 AuthClass - Failed to get the current user: "No current user"}
ConsoleLogger.js:100 {[DEBUG] 55:21.483 AuthClass - The user is not authenticated by the error: "No current user"}
ConsoleLogger.js:84 [DEBUG] 55:21.484 Credentials - getting credentials
ConsoleLogger.js:84 [DEBUG] 55:21.485 Credentials - picking up credentials
ConsoleLogger.js:84 [DEBUG] 55:21.485 Credentials - getting old cred promise
ConsoleLogger.js:84 [DEBUG] 55:21.486 AuthClass - not logged in, try to parse the url
ConsoleLogger.js:100 {[DEBUG] 55:21.487 AuthClass - getting session failed: "No current user"}
ConsoleLogger.js:84 [DEBUG] 55:21.487 Credentials - setting credentials for guest
ConsoleLogger.js:84 [DEBUG] 55:21.488 Credentials - No Cognito Federated Identity pool provided
ConsoleLogger.js:84 [DEBUG] 55:21.489 Greetings - FB sdk undefined
ConsoleLogger.js:84 [INFO] 55:21.490 Cache - Remove item: key is federatedInfo
ConsoleLogger.js:84 [DEBUG] 55:21.491 RestClient - No credentials available, the request will be unsigned
ConsoleLogger.js:84 [DEBUG] 55:21.492 Credentials - setting credentials for guest
ConsoleLogger.js:84 [DEBUG] 55:21.493 Credentials - No Cognito Federated Identity pool provided
ConsoleLogger.js:100 {[DEBUG] 55:21.493 AWSPinpointProvider - ensure credentials error: "No Cognito Federated Identity pool provided"}
ConsoleLogger.js:100 {[DEBUG] 55:21.496 AWSPinpointProvider - ensure credentials error: "No Cognito Federated Identity pool provided"}
ConsoleLogger.js:100 {[DEBUG] 55:21.497 AuthClass - cannot load guest credentials for unauthenticated user: "No Cognito Federated Identity pool provided"}
ConsoleLogger.js:100 {[DEBUG] 55:21.498 Analytics - on hub capsule auth: {鈥}
index.js:24 onHubCapsule auth {event: "signOut", data: null} Auth
ConsoleLogger.js:100 {[DEBUG] 55:21.500 Authenticator - authenticator state change signedOut: undefined}
theGlenn picture theGlenn on 24 Aug 2018

@theGlenn the Auth module reads tokens from the localStorage to and then validate them to tell whether a user is logged in or not. Seems like when the app is redirected back, it calls the signOut() function which will clear the localStorage. Can you find out why this method is called? As I know the library won't trigger it automatically.

powerful23 picture powerful23 on 24 Aug 2018

Seems like when the app is redirected back, it calls the signOut() function which will clear the localStorage. Can you find out why this method is called? As I know the library won't trigger it automatically.

@powerful23 Actually it does take a look here: https://github.com/aws-amplify/amplify-js/blob/master/packages/auth/src/Auth.ts#L1101

If there is no userpool the Auth SDK calls signOut and as I said ealier:

If I remove the userPoolId from configuration and Call OAuthSignIn() again the credentials are not erased anymore however the Authenticator doesn't log me in since userPoolId is not in the configuration anymore.

For me it seems like oauth and userpool configuration are not compatible.

Current workaround

  • I removed the userPoolId from the Auth config so that credentials are saved after redirection.
  • I don't use amplify to check user signedIn/out status
  • After redirection, I retrieve user credentials and session in localStorage using amazon-cognito-auth-js

    • I manually create a CognitoUserPool and retrieve the user with getCurrentUser().

    • From this I retrieve the necessary info with getUserAttributes(), getSession()

  • To signOut:

    • I remove localStorage' credentials using user.signOut() method

    • Then I also clear cognito cookies by building the logout url https:///${domain}/logout?logout_uri=${IDP_SIGN_ON_URI}&client_id=${clientId}

theGlenn picture theGlenn on 29 Aug 2018

@theGlenn https://github.com/aws-amplify/amplify-js/blob/master/packages/auth/src/Auth.ts#L1101 is under the method signOut()

The userPoolId is required for Amplify to configure the Auth module and has no conflict with oauth.
The Auth module tried to parse the callback url here:

ConsoleLogger.js:84 [DEBUG] 55:21.486 AuthClass - not logged in, try to parse the url

But the handler is not triggered at here: https://github.com/aws-amplify/amplify-js/blob/master/packages/auth/src/Auth.ts#L149 in you log. Either onSuccess or onFailure should be called to tell you whether the url is valid or not. If success, then you can get the current logged user.

powerful23 picture powerful23 on 29 Aug 2018

@theGlenn the bug has been confirmed, will work on to fix it.

powerful23 picture powerful23 on 5 Sep 2018
🎉3

@powerful23 I also facing the same issue, please process it. otherwise we all stucking :( thanks

pmd30011991 picture pmd30011991 on 3 Nov 2018

@pmd30011991 hey we just merged a fix for this issue.

powerful23 picture powerful23 on 6 Nov 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

callmekatootie picture callmekatootie  路  3Comments
guanzo picture guanzo  路  3Comments
TheRealRed7 picture TheRealRed7  路  3Comments
benevolentprof picture benevolentprof  路  3Comments
rygo6 picture rygo6  路  3Comments