Amplify-js: NotAuthorizedException: Token is not from a supported provider of this identity pool.

Created on 13 Aug 2019  路  13Comments  路  Source: aws-amplify/amplify-js

Describe the bug

Unable to login with Facebook (react-native).

To Reproduce

  1. Run through the default social provider auth flow with amplify add auth
  2. Create a facebook app, add appId + appSecret to amplify config
  3. Add app domain provided by cognito to FB dev page
  4. Set the website with appended path (eg: https://zatiq-mobile-app-dev.auth.us-east-1.amazoncognito.com/oauth2/idpresponse)
  5. Use the example code for setting up react native facebook login (PS Expo no longer exposes a facebook property, it now comes from 'expo-facebook' package).
  6. Attempt to sign with Auth.federatedSignIn

results in: NotAuthorizedException: Token is not from a supported provider of this identity pool.

Expected behavior
Should receive credentials

Screenshots && Full Code Samples
Here they are, I hope they help:

Generated aws-exports.js file (imported at the root of the app):

const awsmobile = { "aws_project_region": "us-east-1", "aws_cognito_identity_pool_id": "us-east-1:b34dbc6d-dd57-4bd8-9e00-10d8e47039ea", "aws_cognito_region": "us-east-1", "aws_user_pools_id": "us-east-1_SYQGQiN5S", "aws_user_pools_web_client_id": "t851knsevlqsm11spa7huoerj", "oauth": { "domain": "zatiq-mobile-app-dev.auth.us-east-1.amazoncognito.com", "scope": [ "phone", "email", "openid", "profile", "aws.cognito.signin.user.admin" ], "redirectSignIn": "exp://192.168.2.15:19000/", "redirectSignOut": "exp://192.168.2.15:19000/", "responseType": "code" }, "federationTarget": "COGNITO_USER_POOLS", "aws_content_delivery_bucket": "zatiq-mobile-app-hosting-dev", "aws_content_delivery_bucket_region": "us-east-1", "aws_content_delivery_url": "http://zatiq-mobile-app-hosting-dev.s3-website-us-east-1.amazonaws.com" };

Cognito config verifying Facebook data is there (I have omitted the app secret for this screenshot)

Screen Shot 2019-08-12 at 7 52 58 PM

Verifying that I haven't used the wrong cognito pool:

Screen Shot 2019-08-12 at 7 54 46 PM

Screenshot of setting the website url on facebook with appended paths:

Screen Shot 2019-08-12 at 7 54 02 PM

full login code:

`const signIn = async () => {
const { type, token, expires } = await Facebook.logInWithReadPermissionsAsync(
'705885429837326', {
permissions: ['public_profile'],
behavior: 'native',
}
);

if (type === 'success') {
  const response = await fetch(`https://graph.facebook.com/me?access_token=${token}`);
  const { name } = await response.json();

  Auth.federatedSignIn(
    'facebook',
    { token, expires_at: expires },
    { name, }
  )
    .then(credentials => {
      console.log('get aws credentials', credentials);
    }).catch(e => {
      console.log(e);
    });
}

}`

Desktop (please complete the following information):

  • OS: macOS Mojave
  • Browser Chrome

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

I've checked other issues in this repo (there are a few that have this same error) but alas was unable to pinpoint what I'm doing wrong :(

pending-close-response-required
Source
picture ilrein
👍4

Most helpful comment

The issue was actual for me as well. Identity poll was created but I have to put manually Facebook App Id and Google App Id to Authentication providers list

picture silinski on 27 Jan 2020
👍3

All 13 comments

I've been trying to figure out it, what I can tell is that the method await Facebook.logInWithReadPermissionsAsync( is successful, its Auth.federatedSignIn( that fails, which is really weird since it used the CLI to setup Federated Identities/Auth.

Please help!

ilrein picture ilrein on 13 Aug 2019

Bump...

ilrein picture ilrein on 15 Aug 2019

FIGURED IT OUT!

It had nothing to do with my setup, which was fine. Once the cognito resource was created, I had to find the correlating federated identity, manually edit it, add facebook app ID -- and voila. I authorized. The documentation is missing for this entirely. It setups up the User Pool but NOT the Federated Identity which can only be found by cross referencing the "Resource name".

ilrein picture ilrein on 15 Aug 2019

Assigning to CLI team, I ran into this as well and the appId provided at the cli was not present in the identity created.

Amplifiyer picture Amplifiyer on 10 Sep 2019

In my case the app client settings are not set up when pushed thru amplify console. So might be something related.

chezhiane picture chezhiane on 10 Sep 2019

@chezhiane You would need to set your app-client ID's and secrets in the team-provider info - mapped to your env/branch name for the Console to pick it up.

@pravgupt Could you please mention steps to reproduce this?

kaustavghosh06 picture kaustavghosh06 on 12 Sep 2019

I chose Default Configuration with Social Provider (Federation) and the CLI did ask me for the app Id and secret. After that I called Auth.federatedSignIn()

In the aws_exports I can see that the federation target is "COGNITO_USER_POOLS" but I think the library was trying to federate through the identity pool.

Amplifiyer picture Amplifiyer on 19 Sep 2019

@pravgupt It might be an issue with the JS Lib looking for another enum for that key then?
@undefobj @manueliglesias Any thoughts?

kaustavghosh06 picture kaustavghosh06 on 3 Oct 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 30 Nov 2019

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

stale[bot] picture stale[bot] on 7 Dec 2019

The issue was actual for me as well. Identity poll was created but I have to put manually Facebook App Id and Google App Id to Authentication providers list

silinski picture silinski on 27 Jan 2020
👍3

@silinski @kaustavghosh06 @Amplifiyer
Do we have to set up Federated Identities pool Authentication providers as well? Can it be done without?

@ilrein
What did you mean by Federated Identity which can only be found by cross referencing the "Resource name".

Jun711 picture Jun711 on 22 Apr 2020

@Jun711 it didn't work without Federated Identities pool Authentication providers for me in January. Without Federated Identities pool Authentication providers Amplify CLI didn't push tokens to the AWS Cognito however, they were configured locally in the CLI.

There is a chance that it was fixed with new releases, but I didn't check

silinski picture silinski on 23 Apr 2020
👀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shinnapatthesix picture shinnapatthesix  路  3Comments
cgarvis picture cgarvis  路  3Comments
lucasmike picture lucasmike  路  3Comments
benevolentprof picture benevolentprof  路  3Comments
karlmosenbacher picture karlmosenbacher  路  3Comments