Aws-sdk-ios: New Identity IDs created for some users unexpectedly

Is there any further diagnostic information I could provide to help debug this issue?

Hi @austinfitzpatrick

This looks like a bug with the SDK, but I was not able to reproduce this error. Could you please verify that instead of calling AWSMobileClient.sharedInstance().identityId what happens if you call AWSMobileClient.sharedInstance().getIdentityId(). Do you see the same behavior?

yes I do get the same issue. One thing that I realized recently that might be contributing (interested in your opinion) --

We create two appsync clients -- one which makes normal authenticated requests and another which we use for a single endpoint that has IAM authentication (it determines whether a phone number has been invited to our app - so it happens before we can authenticate a user). I was wondering if maybe this IAM app sync client's initialization could, under some circumstances, set a guest identity id on my AWSMobileClient?

As part of my continuing debugging of this issue I've changed our startup flow to delay the creation of the IAM authentication until we actually need it - so that logged-in users will never create this second appsync client. I haven't seen the issue first-hand since making this change, but it is intermittent and hard to reproduce on demand, so I'm not convinced I've solved it yet.

Reproduced again, delaying creation of the IAM client did not help. In this session an IAM client was never created, but it just happened again. The brand new identity ID was created: us-east-1:d743f034-1347-4717-8ab0-1c11023b9b25

Session ID tokens look like this:

(Instabug Logs - Error) 25-08 9:29:36.225 run task error: The operation couldn’t be completed. (com.amazonaws.AWSS3TransferUtilityErrorDomain error 2.)
(Instabug Logs - Info) 25-08 9:29:36.224 Error on task, 0 tries left
(Instabug Logs - Debug) 25-08 9:29:36.224 upload video failed
(Instabug Logs - Debug) 25-08 9:29:36.224 Session Expiration Token: Optional(2020-08-25 17:25:50 +0000) 3373.775573015213 seconds since now
(Instabug Logs - Debug) 25-08 9:29:36.224 Session Access Token: Optional(AWSMobileClient.SessionToken(tokenString: Optional("eyJraWQiOiJPbENWZmRNRHVsbWZIQjBxTG9iSkwrQlNqU1haQk5LNXlGN05FYUVFSUtZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJiMzQ5NDcwMi1kOWU5LTQ1NjYtOWRmYi03NTY3NDM4YjVhY2EiLCJjb2duaXRvOmdyb3VwcyI6WyJGYXJtZXIiLCJBZG1pbiIsIlB1YmxpYyIsIkludGVybmFsIl0sImV2ZW50X2lkIjoiYTg2Mjc4ZDQtODRhYi00NjUwLThlN2UtNTFmZmNjZDliM2M3IiwidG9rZW5fdXNlIjoiYWNjZXNzIiwic2NvcGUiOiJhd3MuY29nbml0by5zaWduaW4udXNlci5hZG1pbiIsImF1dGhfdGltZSI6MTU5NzA2MTA3MCwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lYXN0LTFfSXE2QTVIT0NZIiwiZXhwIjoxNTk4Mzc2MzUwLCJpYXQiOjE1OTgzNzI3NTAsImp0aSI6ImIwMjI1ODk0LTc3NzMtNDM1Ny1iYzA0LTJjZGFiMjUzMWY4MyIsImNsaWVudF9pZCI6IjFvN2NnYTUza2lhM2wxdjltbjdnc2pmMjNhIiwidXNlcm5hbWUiOiJDMjNFNTlFMS00MEJGLTQ3NjEtQUU5Ny01OUMzMTBFMEI5OEEifQ.ZhT0cJI5JBM2LjhYOMQSmpZtTUXdXZkdmJ3mIApDyOswKqMbMpQ04odY4H89_2yg91YjTU9itu5Q1GsPv2e7UQzY8B5gKYJ1ugXHFNZgKybQow7fkZXzRs118c0e8_2Ul44IRl-ydcxhuqFSMuN42aT8jHfSK_-Ay6GXr6PTk8T2a-IcrXb4xj0U2u3VzZ0VKhXY7GHqUZz4P29iLydHw88fwPtcQ8xLrGF9aZpT2BVFdNMHUPD4k5k-DRDseUasKoIGpUfJ2mNhIOOk5612DpCepr26-G4_tHS7_ZggFx7nzfI_UxHMFvEB7KIGW4i5g-bwzZmAlMZJZsTwqsamaw")))
(Instabug Logs - Debug) 25-08 9:29:36.223 Session Refresh Token: Optional(AWSMobileClient.SessionToken(tokenString: Optional("eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.Ze8GgiTxbbgWrJGSveWCIclAwFV2aMPqXtPTrUei5GADgyDfDH1Pw85NdKYrXFU0ww_Dcwwe-LMhvPBxY1pnooBDZzq3AeISTlo_IRSIhXpVUnQXJ3mHKqL_xl-hfJb6Ak2BM77n0sovAH3XTLd_uo3gOTVnSUqKUwR72JYwcfxzVXN5UeVCIa5BoTp1ZN3qmmNmbc9URcYWPI6KC8dX2pkvq7hoXyvuxNPpARM0XFcyuGlR40bPgtGPj-nEJFi964XzyabtWyQT5YxNatd8jkfmY8Eoz3-AOjoK1HP8qF_5so0EEH5zq1LGFWEj1WCqrgDtB9aH_FbPuoxFIuAUSw.u63XCEwUHmmWxXo7.0G8wGpqwkJJeW4RKHnymL0cCcKngQ15JCAfOcpA5TklyEgQTtj1I4cbeTtMWEGlk-THsYr4Vg9dhdMgykT7_LsAL_IcD3WU-MYs_sQA25mOJyTUFLUApddOfi4vn3rKZgIB8nXBCJFH9ZoLdjet7YqNIfE09X7NG7b7BsZL1cZTFTxZCV1JwjHY4i7ax9jnVAy9VfHWStixB145C4Nau-GelfKQ9uBOrbwsVfyG6P09aDwCtcQQbS28EWtzuPxM45kKSnyYV7-GdMP7RiSAXtgEPF4DrFRy6xHX2l70Dfr6AQ8SoZEy5IgyAsCnNHmMQYE948xOGOykEFOvuCqGmk8v8ltrtHFV7oZijcdU5Pwnl0u6V-CWL31KGN8tPQPbrBbIouQBnuRIX6g68eqExsYf0r5HN7kLDSWm1wGBIGHlNHqEsLrxDwS2tS-nrX48CrOaLx3MgyF3_XWDMzC6puuNoMfW_ZdOHZTfmWKiOEl9Ds0A2XIuEJvbKXVRJAI21q86Zd2o_Ov4X1rq0saUIpGaSPFGIVSGlTJlgcgw6oIu8b_7G18Yr5nnsxv34wry-j1IeyGt3IEC4VZ-zojw_2SXcHfFPua0M45-TEvFOAp85eot7GvfLcyGA5d1uMh5-lIGjfm7mAMox3DJX5g18keRNveZByBrtgL0Ay7K98AshjR6LirgnrQn706MoBh9aCTc5CaFzXFQtPKk_44GXaPprkwrzxcBL-LXdNrV6Mrhq4CIyN6SevIo8cAYIxGdM_SlV-8bAbxB6ZZBPTuvg28xZoJAYchAqfuu0K0752YfrJF2XMNqiUimE3GuYLejRCyJFMAPBKg2aPucpf-vFigN9sP-R0Wo-hPLN2W66XJpe9Dhzk3cQOPjQ8F_dI_VyrQj5WqQ_oIudxZ_G-OGajDJTkzJrC9QBfEF1_tDaAB2_pfOLTApbluy8pptNU3iTBjF1FofzDP3e64Ji1aezGXUFVBpp_37ihP4DjMmb_92uI4880f0Z1JrvPF4psfLgdap3gbA2TMhp6lP1NYJWegrgASmBaX18enDR0qTHerEM88nbin_eU0Lo-bBqJiZwwpUc_K4y1yJcGfuSKYs5qs7gNIlTN8emD3kbq3k3sMzCstMnYfzyfpLNwBkeTTHfYzjhxntq1IH7lm0-rTz6JjEAOpNF3sp6Z6gjg7j42M8uZZcBA2q3BHUEUWaEftaKSM6NjHm44XnHt6sLJy8p0rFfDUEL-NFOqLM7UhhNZ8hN8jZ9qttZgv3rBWOrB35_VCwxPUZhcvL5bHzDrRXkZSOvAYIlKQfhx6CtE0Wl3Pgc5_lj8OuocLqo1A.ATI-Nw3Z0WjIoLbNeGe9XQ")))
(Instabug Logs - Debug) 25-08 9:29:36.223 Session ID Token: Optional(AWSMobileClient.SessionToken(tokenString: Optional("eyJraWQiOiJXMVwvVzlqZU81bjBWVGNaSG5PbTBYTWtONUppczc2UlBoNEdMd2x2WTBNVT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJiMzQ5NDcwMi1kOWU5LTQ1NjYtOWRmYi03NTY3NDM4YjVhY2EiLCJjb2duaXRvOmdyb3VwcyI6WyJGYXJtZXIiLCJBZG1pbiIsIlB1YmxpYyIsIkludGVybmFsIl0sImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvdXMtZWFzdC0xX0lxNkE1SE9DWSIsInBob25lX251bWJlcl92ZXJpZmllZCI6dHJ1ZSwiY29nbml0bzp1c2VybmFtZSI6IkMyM0U1OUUxLTQwQkYtNDc2MS1BRTk3LTU5QzMxMEUwQjk4QSIsInByZWZlcnJlZF91c2VybmFtZSI6Im9rdXB5biIsImF1ZCI6IjFvN2NnYTUza2lhM2wxdjltbjdnc2pmMjNhIiwiZXZlbnRfaWQiOiJhODYyNzhkNC04NGFiLTQ2NTAtOGU3ZS01MWZmY2NkOWIzYzciLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTU5NzA2MTA3MCwicGhvbmVfbnVtYmVyIjoiKzM4MDkzNjIwNDc3NyIsImV4cCI6MTU5ODM3NjM1MCwiaWF0IjoxNTk4MzcyNzUwfQ.EK2TKT36P-tzWretuPwA6Kw9LhayBoK_zHdSTt41LeLpiDTgr7Jh-E5Km_NzZz8X8bglC6mDM1VROdJftFD0-VwoDBhyKa3xgjUUKhPUWAiyzWmIt_wbgIBi7yQAPr5N2mPSm0rccGmXOQEilaRxmg97aX5u0l2zUk6aKvV-hzxxd_uWwqaGAUkq_S1u5LdPe5bNzYdAVsE_x45Bx5pSSmOl52Zn1lGaU5YrdtoRqtCIq728vzbeeDIPiXyUpjLxyjbdUANpcBVAAT65pFl-1jKH-vOjjFvGipRpmJ0zVCoftsWYZvg1LrRwU3COvQinoacJVgdZPrK9GSY_66kmvA")))

Are there any updates here or anything else I can provide? Seeing production users getting hit with this, would love at least advice on a workaround.

We were still not able to reproduce the behavior. I am interested in knowing the usage of your two AppSync client and wondering whether that is causing the issue. How does your Appsync client gets the necessary credentials ? Are you using AWSMobileClient for both of them, ie one with authenticated and the other with unauthenticated access (which could be an issue)?
Also, what is your authentication provider? Is it Cognito User Pools, Other Social providers, Hosted UI?

Make sure that you are listening to auth events and check if the user is signout or not - https://docs.amplify.aws/sdk/auth/how-it-works/q/platform/ios#state-tracking

I'm not sure if ours is the same scenario, but our company has seen almost this exact same issue, and root-caused it.

Repro

• Open our app while unauthenticated (guest user)
• Use one of the features that calls AppSync under the guest user (now guest user has an identity ID)
• Sign in

Result: mobileClient.getIdentityId() returns the identity ID for the guest user, not the signed in user. This causes upload failures when trying to use the identity ID to upload to S3

Solution
We found that the guest identity was being returned because AWSIdentityProvider caches identity IDs unless told otherwise. You must call AWSIdentityProvider.clear() to remove the cached identity ID. This can be accomplished through AWSMobileClient by calling AWSMobileClient.clearKeychain() before signing in.

Thank you for the report. I did some testing around identity ID and this is what I observed. There is an issue that I could reproduced as well in one of the test case. We are trying to fix that now:

Case 1:

I start the app as a Guest, SignUp a new user and then SignIn using that user.

1. Guest Identity Id - us-east-1:ded0718e-1aa5-4513-9a13-5e0732798b68
2. Sign up a user
3. SignIn the new user Identity Id - us-east-1:ded0718e-1aa5-4513-9a13-5e0732798b68

Conclusion: Guest user identity id is migrated to a authenticated identity id.

Case 2:

I start the app with signed in user and then signed out and move to Guest

1. Signed In user Identity Id - us-east-1:ded0718e-1aa5-4513-9a13-5e0732798b68
2. Guest Identity Id - us-east-1:ff8a9f50-b3e8-4fa2-bd2a-de49846a1ce3

Conclusion: The identity id of the app changes to a different one when the user sign out.

Case 3:

I start the app as a Guest, I sign in using an existing user.

1. Guest Identity Id - *us-east-1:ff8a9f50-b3e8-4fa2-bd2a-de49846a1ce3 *
2. Signed In user Identity Id - *us-east-1:ded0718e-1aa5-4513-9a13-5e0732798b68 *

Guest Identity Id *us-east-1:ff8a9f50-b3e8-4fa2-bd2a-de49846a1ce3 *is disabled.

Conclusion: When signIn using an existing user, the identity Id is converted to the users identity Id they had. Also the guest identity id was disabled when checked in the Cognito Identity Pool.

Case 4:

I start two devices in Guest, In Device-A I signUp a new user, then I sign in same user to Device-B. Then I sign in to device-A

_Device A_

1. Guest Identity Id - *us-east-1:1f73b4bf-a98e-49af-a3d6-2e9f4da92626 *
2. Guest Identity Id after sign Up - *us-east-1:1f73b4bf-a98e-49af-a3d6-2e9f4da92626 * (remains same, because I did not signIn)

3. Now I go to Device B

4. After signed I in Device B, I then signed in to Device A

5. Signed In user Identity Id - *us-east-1:8fd1d7e8-5d97-4af8-85d3-75804e4aa9d9 *
6. Guest Identity Id us-east-1:1f73b4bf-a98e-49af-a3d6-2e9f4da92626 is disabled

_Device B_

1. Guest Identity Id - *us-east-1:8fd1d7e8-5d97-4af8-85d3-75804e4aa9d9 *
2. Signed In user Identity Id - *us-east-1:8fd1d7e8-5d97-4af8-85d3-75804e4aa9d9 *

Conclusion: When user sign up in a device and then sign in in another device, the guest identity id of the second device is migrated to an authenticated identity id. The first device guest identity Id remains the same. If we then sign in to the first device, the guest identity id is disabled in Cognito Identity Pool and the device’s takes the signed in user identity id.

Case 5 :

I sign in using a user-A then signout then sign in using user-B

1. Guest Identity Id - *us-east-1:5110a3ee-88da-48b4-a86f-fe4d43d284c7 *
2. User 1 sign in - us-east-1:ded0718e-1aa5-4513-9a13-5e0732798b68 (Previous Guest identity id got disabled)
3. Guest Identity Id - us-east-1:e4dbfba5-efc2-43c8-aacb-49d95c42dfeb (New guest id after signout)
4. User 2 sign in - us-east-1:8fd1d7e8-5d97-4af8-85d3-75804e4aa9d9 (Previous Guest identity id got disabled)

*Conclusion: When sign in from guest to an existing user, the identity id of device changes from guest identity id to the already existing identity id of the user. The guest identity Id will get disabled in the Cognito Identity Pool after sign in. Then when you sign out, the app gets a new guest identity id. *

Case 6:

Identity Id after each sign out.

After each signout the app moves to a guest status. The identity Id changes to a new identity id after each sign out.

Case 7: FAILED!!!

Fetch identity Id immediately after sign in.

AWSMobileClient.default().getIdentityId().continueWith { (task) -> Any? in
    print("Guest id = \(task.result)")
    AWSMobileClient.default().signIn(username: "<email>", password: "<password>") { (result, error) in

        AWSMobileClient.default().getIdentityId().continueWith { (task) -> Any? in
            print("signed in id = \(task.result)")
        }

    }
    return nil
}

Output

Guest id = Optional(us-east-1:3c304a1b-4711-40a1-aaa7-479572d75cc7)
signed in id = Optional(us-east-1:3c304a1b-4711-40a1-aaa7-479572d75cc7)

We investigated a couple of approaches to change AWSMobileClient to refresh the id token immediately after signIn. However, each of the approaches presented significant risk, and so we have elected not to change this behavior.
In the meantime, you can manually update the id token by calling getAWSCredentials, which internally fixes the id token for the signed in user.

     AWSMobileClient.default().signIn(username: “”,
                      password: “”) { (result, error) in
       AWSMobileClient.default().getAWSCredentials { (_, _) in
         let identityId = AWSMobileClient.default().identityId
       }
    }

(AWSMobileClient does this internally, but does it asynchronously, which is why there is a potential gap between sign in and seeing the updated identity token.)