Aws-sdk-android: Cognito - Sign In - Error in federating the token

Created on 7 May 2019 · 10Comments · Source: aws-amplify/aws-sdk-android

Describe the bug
Hi all, we are trying to configure the Amplify Authentication on Android, but when we try to sign in the onResult callback is called with a signInState equals to SignInState.DONE, but when we tries to get the token (both sync or async), a Exception raises: "getTokens does not support retrieving tokens while signed-out"

Looking in the log, there is a exception after the sign in on it:

java.lang.RuntimeException: Error in federating the token.
at com.amazonaws.mobile.client.AWSMobileClient$8.run(AWSMobileClient.java:1484)
at com.amazonaws.mobile.client.internal.InternalCallback.await(InternalCallback.java:115)
at com.amazonaws.mobile.client.AWSMobileClient.federatedSignInWithoutAssigningState(AWSMobileClient.java:1414)
at com.amazonaws.mobile.client.AWSMobileClient$6$1.onSuccess(AWSMobileClient.java:1156)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser.getSession(CognitoUser.java:745)
at com.amazonaws.mobile.client.AWSMobileClient$6.run(AWSMobileClient.java:1142)
at com.amazonaws.mobile.client.internal.InternalCallback$1.run(InternalCallback.java:101)
at java.lang.Thread.run(Thread.java:818)
Caused by: com.amazonaws.services.cognitoidentity.model.NotAuthorizedException: Token is not from a supported provider of this identity pool. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException; Request ID: 3c924e1f-70ea-11e9-80ca-01ad7f96c8b7)
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:730)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:405)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:212)
at com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient.invoke(AmazonCognitoIdentityClient.java:1658)
at com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient.getId(AmazonCognitoIdentityClient.java:739)
at com.amazonaws.auth.AWSAbstractCognitoIdentityProvider.getIdentityId(AWSAbstractCognitoIdentityProvider.java:172)
at com.amazonaws.mobile.client.AWSMobileClientCognitoIdentityProvider.refresh(AWSMobileClient.java:3600)
at com.amazonaws.auth.CognitoCredentialsProvider.startSession(CognitoCredentialsProvider.java:678)
at com.amazonaws.auth.CognitoCredentialsProvider.refresh(CognitoCredentialsProvider.java:631)
at com.amazonaws.auth.CognitoCachingCredentialsProvider.refresh(CognitoCachingCredentialsProvider.java:510)
at com.amazonaws.mobile.client.AWSMobileClient.federateWithCognitoIdentity(AWSMobileClient.java:1515)
at com.amazonaws.mobile.client.AWSMobileClient$8.run(AWSMobileClient.java:1471)

To Reproduce
Just initialize the AWSMobileClient, call signIn with a valid username and password and call getTokens(). The most akward is that signIn is returning a SignInState.DONE, even with this exception.

build.gradle (app)

implementation "com.amazonaws:aws-android-sdk-mobile-client:2.13.4"
implementation "com.amazonaws:aws-android-sdk-auth-userpools:2.13.4"

MainApplication.kt (extends Application)

AWSMobileClient.getInstance().initialize(applicationContext, object : Callback<UserStateDetails> {
    override fun onError(e: Exception?) {
        Timber.e(e, "An error occurred while tried to init the AWSMobileClient")
    }
    override fun onResult(result: UserStateDetails?) {
        Timber.d("Successfully started the AWSMobileClient: ${result?.userState}") // Reaches here with SIGNED_OUT
    }
})

Repository.kt

suspend fun signInOnCognito(email: String, password: String): String =
        suspendCoroutine { continuation ->
            val signInCallback = object : Callback<SignInResult> {
                override fun onResult(result: SignInResult) {
                    Timber.d("Sign in result: ${result.signInState}")
                    fetchToken(continuation)
                }

                override fun onError(exception: java.lang.Exception) {
                    continuation.resumeWithException(exception)
                }
            }

            AWSMobileClient.getInstance().signIn(email, password, null, signInCallback)
        }

fun fetchToken(continuation: Continuation<String>) {
    val getTokensCallback = object : Callback<Tokens> {
        override fun onResult(result: Tokens) {
            Timber.d("Got the user token")
            continuation.resume(result.idToken.tokenString)
        }

        override fun onError(e: Exception) {
            Timber.e(e, "Cannot get the user token")
            continuation.resumeWithException(e)
        }

    }
    AWSMobileClient.getInstance().getTokens(getTokensCallback)
}

awsconfiguration.json

{
    "UserAgent": "aws-amplify-cli/0.1.0",
    "Version": "1.0",
    "IdentityManager": {
        "Default": {}
    },
    "CredentialsProvider": {
        "CognitoIdentity": {
            "Default": {
                "PoolId": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
                "Region": "us-east-1"
            }
        }
    },
    "CognitoUserPool": {
        "Default": {
            "PoolId": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
            "AppClientId": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
            "AppClientSecret": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
            "Region": "us-east-1"
        }
    }
}

Which AWS service(s) are affected?
Amazon Cognito

Expected behavior
Sign in and retrieve the jwt token string.

Environment Information (please complete the following information):

AWS Android SDK Version: 2.13.4
Device: Any
Android Version: Any
Specific to simulators: No

AWSMobileClient Bug Needs Info from Requester closing-soon-if-no-response

Source

luanalbineli

👍3

Most helpful comment

@palpatim

I double checked the values as best I could (limited access to AWS console), and the info I've found matches the one in the awsconfiguration.json

Using the same config file with this implementation works fine:

public class CognitoService {

    private CognitoUserPool cognitoUserPool;

    public CognitoService(CognitoUserPool cognitoUserPool){
        this.cognitoUserPool = cognitoUserPool;
    }

    @Override
    public Single<String> login(String username, String password) {
        return Single.create(singleSource -> {

            final CognitoUser cognitoUser = cognitoUserPool.getUser(username);

            cognitoUser.getSession(new AuthenticationHandler() {

                @Override
                public void onSuccess(CognitoUserSession userSession, CognitoDevice newDevice) {
                    singleSource.onSuccess(userSession.getAccessToken().getJWTToken());
                }

                ...
            });
        });
    }

}

Also, just realized I am not getting a NotAuthorizedException, but instead a ResourceNotFoundException:

```W/AWSMobileClient: Failed to federate tokens during sign-in
java.lang.RuntimeException: Error in federating the token.
at com.amazonaws.mobile.client.AWSMobileClient$8.run(AWSMobileClient.java:1484)
at com.amazonaws.mobile.client.internal.InternalCallback.await(InternalCallback.java:115)
at com.amazonaws.mobile.client.AWSMobileClient.federatedSignInWithoutAssigningState(AWSMobileClient.java:1414)
at com.amazonaws.mobile.client.AWSMobileClient$6$1.onSuccess(AWSMobileClient.java:1156)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser$6.onSuccess(CognitoUser.java:787)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser$27.run(CognitoUser.java:2553)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser$24.run(CognitoUser.java:2430)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.AuthenticationContinuation.continueTask(AuthenticationContinuation.java:124)
at com.amazonaws.mobile.client.AWSMobileClient$6$1.getAuthenticationDetails(AWSMobileClient.java:1173)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser.getSession(CognitoUser.java:751)
at com.amazonaws.mobile.client.AWSMobileClient$6.run(AWSMobileClient.java:1142)
at com.amazonaws.mobile.client.internal.InternalCallback$1.run(InternalCallback.java:101)
at java.lang.Thread.run(Thread.java:764)
Caused by: com.amazonaws.services.cognitoidentity.model.ResourceNotFoundException: IdentityPool '{{REDACTED}}' not found. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: ResourceNotFoundException; Request ID: 11661eba-75bb-11e9-953c-5f8eba552371)
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:730)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:405)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:212)
at com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient.invoke(AmazonCognitoIdentityClient.java:1658)
at com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient.getId(AmazonCognitoIdentityClient.java:739)
at com.amazonaws.auth.AWSAbstractCognitoIdentityProvider.getIdentityId(AWSAbstractCognitoIdentityProvider.java:172)
at com.amazonaws.mobile.client.AWSMobileClientCognitoIdentityProvider.refresh(AWSMobileClient.java:3600)
at com.amazonaws.auth.CognitoCredentialsProvider.retryRefresh(CognitoCredentialsProvider.java:714)
at com.amazonaws.auth.CognitoCredentialsProvider.startSession(CognitoCredentialsProvider.java:682)
at com.amazonaws.auth.CognitoCredentialsProvider.refresh(CognitoCredentialsProvider.java:631)
at com.amazonaws.auth.CognitoCachingCredentialsProvider.refresh(CognitoCachingCredentialsProvider.java:510)
at com.amazonaws.mobile.client.AWSMobileClient.federateWithCognitoIdentity(AWSMobileClient.java:1515)
at com.amazonaws.mobile.client.AWSMobileClient$8.run(AWSMobileClient.java:1471)
at com.amazonaws.mobile.client.internal.InternalCallback.await(InternalCallback.java:115)
at com.amazonaws.mobile.client.AWSMobileClient.federatedSignInWithoutAssigningState(AWSMobileClient.java:1414)
at com.amazonaws.mobile.client.AWSMobileClient$6$1.onSuccess(AWSMobileClient.java:1156)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser$6.onSuccess(CognitoUser.java:787)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser$27.run(CognitoUser.java:2553)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser$24.run(CognitoUser.java:2430)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.AuthenticationContinuation.continueTask(AuthenticationContinuation.java:124)
at com.amazonaws.mobile.client.AWSMobileClient$6$1.getAuthenticationDetails(AWSMobileClient.java:1173)
at com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser.getSession(CognitoUser.java:751)
at com.amazonaws.mobile.client.AWSMobileClient$6.run(AWSMobileClient.java:1142)
at com.amazonaws.mobile.client.internal.InternalCallback$1.run(InternalCallback.java:101)
at java.lang.Thread.run(Thread.java:764)


UPDATE:

Quick update, I updated the `awsconfiguration.json` file and removed the `CredentialsProvider` and `IdentityManager` sections, and I am now able to get the token after calling `AwsMobileClient.signIn`. I do see this error in the log:

W/AWSMobileClient: Failed to federate tokens during sign-in
java.lang.Exception: Federation is not enabled, please check if you have CognitoIdentity configured.
```

fernando-berrios on 13 May 2019

👍2

All 10 comments

I have almost this exact same use case and running into the same problem. Trying to create a method that will sign in the user and return the Cognito access token.

I have an implementation that works by manually using the CognitoUserPool class and CognitoUser.getSession(final AuthenticationHandler callback) method. But using the new AWSMobileClient similar to OPs implementation I am getting the same java.lang.RuntimeException: Error in federating the token error.

fernando-berrios on 10 May 2019

👍2

@luanalbineli, @fernando-berrios

The error snippet

Caused by: com.amazonaws.services.cognitoidentity.model.NotAuthorizedException: Token is not from a supported provider of this identity pool. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException; Request ID: 3c924e1f-70ea-11e9-80ca-01ad7f96c8b7)

...implies that there is a problem with your backend setup. For example, if your User Pool is not properly set up as an Authentication Provider for your Identity Pool, then you might see an error similar to this.

To verify your setup:

Identity Pool
- Go to the Amazon Cognito Console
- Click on "Manage Identity Pools"
- Click on the Identity Pool for your app
- Click on "Edit identity pool"
- Expand the "Authentication providers" section
- Note the "User Pool ID" and "App client Id"
User Pool
- Go to the Amazon Cognito Console
- Click on "Manage User Pools"
- Click on the User Pool for your app
- Ensure the "Pool Id" matches the "User Pool ID" from your Identity Pool
- Click on "App client settings" under the "App integration" navigation section
- Ensure that the "App client Id" from your Identity Pool matches one of the App clients on the page
awsconfiguration.json
- Ensure your configurations have the correct User Pool and Identity Pool configurations throughout.

palpatim on 13 May 2019

@palpatim

I double checked the values as best I could (limited access to AWS console), and the info I've found matches the one in the awsconfiguration.json

Using the same config file with this implementation works fine:

public class CognitoService {

    private CognitoUserPool cognitoUserPool;

    public CognitoService(CognitoUserPool cognitoUserPool){
        this.cognitoUserPool = cognitoUserPool;
    }

    @Override
    public Single<String> login(String username, String password) {
        return Single.create(singleSource -> {

            final CognitoUser cognitoUser = cognitoUserPool.getUser(username);

            cognitoUser.getSession(new AuthenticationHandler() {

                @Override
                public void onSuccess(CognitoUserSession userSession, CognitoDevice newDevice) {
                    singleSource.onSuccess(userSession.getAccessToken().getJWTToken());
                }

                ...
            });
        });
    }

}

Also, just realized I am not getting a NotAuthorizedException, but instead a ResourceNotFoundException:


UPDATE:

Quick update, I updated the `awsconfiguration.json` file and removed the `CredentialsProvider` and `IdentityManager` sections, and I am now able to get the token after calling `AwsMobileClient.signIn`. I do see this error in the log:

W/AWSMobileClient: Failed to federate tokens during sign-in
java.lang.Exception: Federation is not enabled, please check if you have CognitoIdentity configured.
```

fernando-berrios on 13 May 2019

👍2

I should note as well that my awsconfiguration.json file was not generated by the amplify cli tool, it was provided to me by another team member and generated by "UserAgent": "MobileHub/1.0"

fernando-berrios on 17 May 2019

Hi @fernando-berrios ,

The warning you encountered is expected given that the Cognito Identity Pool is not configured.

I also tried out AWS Mobile Hub and when the Cognito User Pool is configured through AWS Mobile Hub the awsconfiguration.json file seemed to work fine.

minbi on 24 May 2019

Hi @luanalbineli ,

Are you still encountering an issue after going through the steps provided by @palpatim ?

minbi on 24 May 2019

Hi,

We are closing this issue because there has been no activity. Please feel free to open a new issue if the problem persists. We ask this because closed issues are not actively monitored.

Thanks

minbi on 3 Jun 2019

@luanalbineli Have you fixed it yet? I have same issue as yours. My awsconfiguration.json is copied from iOS side.

SwiftyWang on 24 Sep 2019

@fernando-berrios can you please provide us the correct structure of the awsconfigration.json file for mobile apps, since i have the exact same issue you've been through. The file was provided to me as well

sami-khleaf on 11 Aug 2020

getting same issue of Failed to federate tokens during sign-in
java.lang.RuntimeException: Error in federating the token.

any solution....

priyacoder1794 on 20 Aug 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

S3 upload hangs up in WAITING_FOR_NETWORK state

chorniyn · 3Comments

Is this the correct usage? MobileClient storing CognitoId after successful Sign up

bobguy1234 · 3Comments

AWSIotMqttManager.publishString with Callback and QoS1 service does not seem to work

ansuman87 · 4Comments

AWSMobileClient federated sign in facebook always return onResult even though give wrong token

HayTran94 · 4Comments

2.17.0 Auth Core failed to publish to maven

pedronveloso · 3Comments