Amplify-js: Hosted UI and /oauth2/authorize seem to auto login, without having the option to confirm ("continue"), or log in to a different account

Created on 20 Sep 2018 · 8Comments · Source: aws-amplify/amplify-js

Describe the bug
Neither:
a) using the hosted UI and signing in with facebook/google
https://my-app.auth.auth.us-west-2.amazoncognito.com/login?(...)

b) using the oauth login
https://my-app.auth.auth.us-west-2.amazoncognito.com/oauth2/authorize?(...)

has the user confirm / continue, by presenting them with the common view found in most apps.

Approach b) has no way to switch to a different account after a user logs in with one, and are stuck. Both approaches will throw an error if a user removes access from the fb/google allowed apps, when you expect them to be re-prompted to continue and allow access.

To Reproduce
Steps to reproduce the behavior:

Create new account (e.g. '[email protected]'), then logout
User wants to login as '[email protected]'). but there is no way to accomplish this with method b).
If you skip 3, and the user deletes permissions on their identity provider, and tries logging in using method b, it does not ask you to re-login, and throws error. if using method a), and user hits continue, same error occurs.

Expected behavior
If a user is logged in, provide the identity provider page that allows users to "Continue" as the currently signed in account, or to switch accounts.

If a user revokes permissions, show the same page, re-instilling them.

Screenshots
screen shot 2018-09-19 at 10 08 14 pm

Smartphone (please complete the following information):

Device: iPhone X
OS: iOS 12
Browser Safari

Cognito Service Team investigating pending-close-response-required

Source

VicFrolov

Most helpful comment

I think this is still a problem. Auth.signOut() only signs out from Cognito, but not from the federated provider (Google in this case). So when you try to login again (in my case, using Auth.federatedSignIn({ .provider: 'Google' })) it will automatically bypass Google's account selection/login and directly use the existing session.

One suboptimal solution to this is to also sign out from Google. You can accomplish this by making a GET request to https://accounts.google.com/logout. This way, a subsequent federatedSignIn will need to go through the Google login screen.

But, the ideal solution in my opinion is to enable passing the prompt query param when issuing the code flow. This way, when you know you are signed out, you could pass prompt=select_account and you will go through the google login screen even when you are still logged in in Google.

Can you please reopen this? It seems @powerful23 never got back with a Cognito team answer about this and it was just automatically closed

raulmt on 25 Oct 2019

👍4

All 8 comments

Hello, wanted to check in on this issue @powerful23

VicFrolov on 16 Dec 2018

@VicFrolov will talk to the Cognito team.

powerful23 on 17 Dec 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.