Amplify-js: Auth components don't support scopes

Created on 6 May 2020  路  1Comment  路  Source: aws-amplify/amplify-js

Is your feature request related to a problem? Please describe.
I'm using the provided react components to build the auth flow (@aws-amplify/ui-react).
Unfortunately there doesn't seem to be any possibility to request a scope on authentication.
So it's currently impossible to use this library for proper authentication.

Similar issues (closed without any reason): #3732 #1370.
-> That issue already exists for years now

Describe the solution you'd like
Hosted-UI supports this. But that is not an option for us.
Would be great to pass the same configuration to the react components.

scope: ["email", "profile", "openid", "weather:read"],

Describe alternatives you've considered
Unfortunately I don't see any alternative solution possible with amplify-js.

-> I would really like to use this lib as it saves a ton of work. Thanks for that! Hope you can provide that feature (fix that bug ;)) soon 馃憤

Amplify UI Components feature-request
Source
picture Purii
👍19 😄5 🚀44 🎉4 👀2

Most helpful comment

I ran into this very issue today. I'm using Vue.js but it's the same problem. The custom UI used by Amplify's UI components implements the USER_SRP_AUTH flow. This flow is completely separate from the OAuth 2.0 flows. As a result, the access token I get back looks like this:

{
  "sub": "992b512f-130d-4da6-a9d3-a1a4227f82f5",
  "event_id": "e856b86d-7f44-46a8-8e02-4345ed1a6755",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1588775410,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_pNZrsdff",
  "exp": 1588782931,
  "iat": 1588779331,
  "jti": "000c94e0-9247-4f1e-ac0c-7aeb065d37f9",
  "client_id": "5gha7s6vka4qapbeape5i9resj",
  "username": "422b512f-130d-4da6-a9d3-a1a4117f82f5"
}

Notice the scope above.

When I try to invoke my HTTP API (not using REST) with a Cognito authorizer, passing the access token, I get the error: Bearer scope="email" error="insufficient_scope" error_description="expected scopes within the token".

Is the solution to use the Cognito hosted UI where we can get OAuth 2.0 scopes? If so, does that represent a compatibility issue with things like the Storage API (e.g. Storage.get())?

picture mrichman on 6 May 2020
👍5

>All comments

I ran into this very issue today. I'm using Vue.js but it's the same problem. The custom UI used by Amplify's UI components implements the USER_SRP_AUTH flow. This flow is completely separate from the OAuth 2.0 flows. As a result, the access token I get back looks like this:

{
  "sub": "992b512f-130d-4da6-a9d3-a1a4227f82f5",
  "event_id": "e856b86d-7f44-46a8-8e02-4345ed1a6755",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1588775410,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_pNZrsdff",
  "exp": 1588782931,
  "iat": 1588779331,
  "jti": "000c94e0-9247-4f1e-ac0c-7aeb065d37f9",
  "client_id": "5gha7s6vka4qapbeape5i9resj",
  "username": "422b512f-130d-4da6-a9d3-a1a4117f82f5"
}

Notice the scope above.

When I try to invoke my HTTP API (not using REST) with a Cognito authorizer, passing the access token, I get the error: Bearer scope="email" error="insufficient_scope" error_description="expected scopes within the token".

Is the solution to use the Cognito hosted UI where we can get OAuth 2.0 scopes? If so, does that represent a compatibility issue with things like the Storage API (e.g. Storage.get())?

mrichman picture mrichman on 6 May 2020
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

josoroma picture josoroma  路  3Comments
TheRealRed7 picture TheRealRed7  路  3Comments
epicfaace picture epicfaace  路  3Comments
DougWoodCDS picture DougWoodCDS  路  3Comments
rayhaanq picture rayhaanq  路  3Comments