Android Amplify Signout issue

[ten-skv]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin

Amplify Categories

Authentication

Gradle script dependencies

// Put output below this line
implementation "com.amplifyframework:core:1.37.9"
implementation 'com.amplifyframework:aws-auth-cognito:1.37.9'

Environment information

# Put output below this line
------------------------------------------------------------
Gradle 6.1.1
------------------------------------------------------------

Build time:   2020-01-24 22:30:24 UTC
Revision:     a8c3750babb99d1894378073499d6716a1a1fa5d

Kotlin:       1.3.61
Groovy:       2.5.8
Ant:          Apache Ant(TM) version 1.10.7 compiled on September 1 2019
JVM:          13 (Oracle Corporation 13+33)
OS:           Mac OS X 10.16 x86_64

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

We are using both "Amplify.Auth.signInWithSocialWebUI" (some users using sso) and "Amplify.Auth.signIn" (some users using our user/password).

Issue: Even-though initially user logged in using "Amplify.Auth.signIn" , when signing out, user is taken to the browser to and it throws error.
AuthException{message=Failed to sign out, cause=com.amazonaws.mobileconnectors.cognitoauth.exceptions.AuthServiceException: Timed out while waiting for sign-out redirect response., recoverySuggestion=See attached exception for more details}
at com.amplifyframework.auth.cognito.AWSCognitoAuthPlugin$22.onError(AWSCognitoAuthPlugin.java:1198)
.....

At this scenario, when user trying to re-login ("Amplify.Auth.signIn") with user_name/password, it accepts any password and user was able to successfully login.

Reproduction steps (if applicable)

To Reproduce

1. Login with user name/password using Amplify.Auth.signIn.
2. You will be successfully signed in and get session token.
3. Logout from that user using Amplify.Auth.signOut(), it throws timeout eceptions.
4. Try to relogin with user name/password using Amplify.Auth.signIn.
5. It accepts any password.

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

amplifyconfiguration.json

Amplify configuration:

{
  "UserAgent": "aws-amplify-cli/2.0",
  "Version": "1.0",
  "auth": {
    "plugins": {
      "awsCognitoAuthPlugin": {
        "UserAgent": "aws-amplify-cli/0.1.0",
        "Version": "0.1.0",
        "IdentityManager": {
          "Default": {}
        },
        "CognitoUserPool": {
          "Default": {
            "PoolId": "us-east-2_xxxxxxxxxx",
            "AppClientId": "xxxxxxp90rhg4hxxxxxxxxx",
            "Region": "us-east-2"
          }
        },
        "Auth": {
          "Default": {
            "OAuth": {
              "WebDomain": "xxxxxxx.auth.us-east-1.amazoncognito.com",
              "AppClientId": "xxxxxxxxxrhg4h9xxxxxxxx",
              "SignInRedirectURI": "xxxxx://signin",
              "SignOutRedirectURI": "xxxxx://signout",
              "responseType": "code",
              "Scopes": [
                "phone",
                "email",
                "openid",
                "profile",
                "aws.cognito.signin.user.admin"
              ]
            },
            "authenticationFlowType": "USER_SRP_AUTH"
          }
        }
      }
    }
  }
}

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response

[ten-skv]

FYI: I already gone through this thread: #1990
We will not be able to upgrade to v2 at this moment.

[tylerjroach]

@ten-skv Unfortunately, v1 does not handle mixed sign in (webui + srp) as well as v2 does. The v1 implementation will trigger the CustomTab launch if there is an "Oauth" block in your configuration file, indicating that web sign in is configured.

The expectation is that if a user did not sign in via web, the redirect should be triggered immediately back to the application and the rest of the sign in proceeds.

Are you able to easily reproduce this, and are you observing on all browsers?

FYI, v1 also has some differences in behavior on calling signIn while already signedIn. In this case, the signOut is failing and throwing the error. This means that the current user remained logged in. The reason it appears that it is accepting any password is because it is returning the current signed in user, it's not actually accepting any typed password.

One last confirmation. I assume the signout redirect uri is valid and known to be configured correctly because you have some user using social web sign in? If the signout uri was not configured in Cognito, it could be the result of failed redirects, but it seems unlikely if you already have a fully functioning social web implementation.

[ten-skv]

We are using both "Amplify.Auth.signInWithSocialWebUI" (some users using sso) and "Amplify.Auth.signIn" (some users using our user/password).

This is easily reproducible. Please use the v1.37.9 and use the same configuration as mine.

In this scenario, I'm signing in using "Amplify.Auth.signIn" (username and password). And when I call "Amplify.Auth.signOut" it takes to an external browser and redirects back to the app. I assume it is chrome browser. At this time it throws the time out exception. Some times it's successfully signout and able to relogin (it validates the username/password)

Amplify.Auth.signOut(
{
Timber.i { "Profile - F: Successfully Signedout from Cognito!" }
},
{
Timber.e(it)
showOfflineMessage("Signout unsuccessful!")
// It goes here
})

[ten-skv]

iOS Amplify library works fine and so does the earlier version of Android Amplify 1.4.1 (It has empty session issue, that's why I have moved to 1.37.9). I see this logout issue on 1.37.9. (Haven't checked other versions).

Question 1: Is there any latest version I can use to fix this issue?
Question 2: If not, is there any work around? Already lot of users are using it and logout is currently broken. Help is really appreciated.

[nazarcybulskij]

@ten-skv When I updated the AndroidManifest.xml by adding additional intent-filters, the logout started working fine

 <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data android:scheme="myapp"/>
                <data android:host="callback"/>
            </intent-filter>

            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data android:scheme="myapp"/>
                <data android:host="signout"/>
            </intent-filter>

[ten-skv]

@nazarcybulskij Is it on 1.37.9 version? I tried and it's not working for me. Here is my manifest snippet.

	<activity
        android:name="com.amplifyframework.auth.cognito.activities.HostedUIRedirectActivity"
        android:exported="true">
        <intent-filter>
            <action android:name="android.intent.action.VIEW" />
            <category android:name="android.intent.category.DEFAULT" />
            <category android:name="android.intent.category.BROWSABLE" />
            <data android:scheme="myapp" />
            <data android:host="callback"/>
        </intent-filter>
        <intent-filter>
            <action android:name="android.intent.action.VIEW" />
            <category android:name="android.intent.category.DEFAULT" />
            <category android:name="android.intent.category.BROWSABLE" />
            <data android:scheme="myapp" />
            <data android:host="signout"/>
        </intent-filter>
    </activity>

[nazarcybulskij]

@ten-skv add intent-filters in MainActivity, not HostedUIRedirectActivity

[ten-skv]

@nazarcybulskij I just tried with the added intent and still I'm able to login with the same user with invalid password (The session is still active).

[tylerjroach]

The correct implementation is to add the intent filters to the HostedUIRedirectActivity.

However, please make sure your scheme's and host's are correct in the manifest and exactly match what you have configured. Instead of "myapp", please make sure your host matches whatever you have masked as "xxxxx" in your configuration.

SignInRedirectURI": "xxxxx://signin",
"SignOutRedirectURI": "xxxxx://signout",

Unless you are trying to add custom behavior to the sign in and sign out flows, you don't necessarily have to provide both a sign in and sign out intent, instead using one that captures both (removing the "hosts"). See here: https://docs.amplify.aws/lib-v1/auth/social/q/platform/android/#update-androidmanifestxml

  <activity
      android:name="com.amplifyframework.auth.cognito.activities.HostedUIRedirectActivity"
      android:exported="true">
      <intent-filter>
          <action android:name="android.intent.action.VIEW" />
          <category android:name="android.intent.category.DEFAULT" />
          <category android:name="android.intent.category.BROWSABLE" />
          <data android:scheme="myapp" />
      </intent-filter>
  </activity>

[ten-skv]

@tylerjroach I'm using the exact scheme which I have configured (I never changed it from previous implementation). Signout not working after I upgrade to v1.37.9. Previously I was using v1.4.1 which was working fine (I have used a different activity configured in Androidmanifest.xml - "com.amazonaws.mobileconnectors.cognitoauth.activities.CustomTabsRedirectActivity")

It is pretty easy to reproduce and it's happening every time. Again I'm using mix of both logins "Amplify.Auth.signInWithSocialWebUI" and "Amplify.Auth.signIn".

[tylerjroach]

@ten-skv Have you removed CustomTabsRedirectActivity? from your manifest? If you can, please post any relevant snippets from your current manifest to help us diagnose where the problem may be.

[ten-skv]

@tylerjroach Yes I have removed the CustomTabsRedirectActivity. Here is my current manifest.
`

    <activity
        android:name="com.amplifyframework.auth.cognito.activities.HostedUIRedirectActivity"
        android:exported="true">
        <intent-filter>
            <action android:name="android.intent.action.VIEW" />
            <category android:name="android.intent.category.DEFAULT" />
            <category android:name="android.intent.category.BROWSABLE" />
            <data android:scheme="xxxx" />
        </intent-filter>
    </activity>

    <receiver
        android:name="com.tenna.android.tfa.tfaapp.receiver.InternetStateReceiver"
        android:label="NetworkStateReceiver"
        android:exported="false">
        <intent-filter>
            <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
            <action android:name="android.net.wifi.WIFI_STATE_CHANGED" />
        </intent-filter>
    </receiver>
    <service android:name=".service.fcm.TennaFcmService"
        android:exported="true">
        <intent-filter>
            <action android:name="com.google.firebase.MESSAGING_EVENT" />
        </intent-filter>
    </service>
    <service android:name="org.altbeacon.beacon.service.BeaconService" tools:node="replace">
        <meta-data android:name="longScanForcingEnabled" android:value="true"/>
    </service>

    <service
        android:name="com.helpscout.beacon.internal.push.BeaconFirebaseMessagingService"
        android:stopWithTask="false"
        android:exported="false">
        <intent-filter>
            <action android:name="com.google.firebase.MESSAGING_EVENT" />
        </intent-filter>
    </service>

    <activity
        android:name="androidx.test.core.app.InstrumentationActivityInvoker$BootstrapActivity"
        android:exported="false" />
    <activity
        android:name="androidx.test.core.app.InstrumentationActivityInvoker$EmptyActivity"
        android:exported="false" />
    <activity
        android:name="androidx.test.core.app.InstrumentationActivityInvoker$EmptyFloatingActivity"
        android:exported="false" />

</application>`

[tylerjroach]

Do you still have override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) in your activity that calls signOut? If so, could you paste that block here?

[tylerjroach]

One additional question @ten-skv, if you sign in with signInWithSocialWebUI do you see the same issue on signOut, or is it only if you start from an SRP flow?

[ten-skv]

For "signInWithSocialWebUI" flow "signout" works fine.

I have this code on ActivityResults. It executes only for "signInWithSocialWebUI" (signin).

`override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
super.onActivityResult(requestCode, resultCode, data)

    if (requestCode == AWSCognitoAuthPlugin.WEB_UI_SIGN_IN_ACTIVITY_CODE) {
        Amplify.Auth.handleWebUISignInResponse(data)
    }
}`

[tylerjroach]

@ten-skv Can you try removing that line? HostedUIRedirectActivity handles the web sign in/out on its own, and does not require that block. It's possible that this is interfering.

If this still doesn't resolve the issue, I'd love to chat more on https://discord.gg/amplify and possibly set up a call.

[ten-skv]

@tylerjroach HostedUIRedirectActivity handles code is executed only when social signin flow happens. But I removed it and tried and still same issue.

[tylerjroach]

Hi @ten-skv, unfortunately on v1, the Auth library does not track whether a sign in is from SRP or a social web sign in. This is the reason that the custom tab opens on signout, regrardless of the sign in method used. It is still critical that this HostedUIRedirectActivity receives the redirect on the signout of an SRP sigin. I would love to work with you 1-1 to further investigate this issue if you are willing. Please reach out on Discord and we can set up a call.

[ten-skv]

@tylerjroach Thank you for helping me out. Sure will reach out in Discord.

[tylerjroach]

I have a PR fix for a different sign out issue (Hosted UI Custom Tab getting stuck on signout, especially Firefox). Would be curious if this has any impact to the issue you are running into. aws-amplify/aws-sdk-android#3184

[tylerjroach]

Hi @ten-skv Checking to see if you have been able to diagnose this issue any further after our sync.

[tylerjroach]

I'm going to go ahead and close this issue, but please reach out if you continue to see the sign out issue described.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[aligkts]

Hey @tylerjroach, I'm also having same issue and stuck on it. Can you type your discord info please? I need to contact with you.

[tylerjroach]

Hi @aligkts,

Can you please open a new issue with your implementation details and exactly what issues you are seeing.
Please also include the version of Amplify being used.

You can also reach out on our Discord server through https://discord.gg/amplify