Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-auth-cognito unusable - is pulling in an old alpha version of okhttp #2809

Open
1 task done
kroegerama opened this issue May 7, 2024 · 16 comments
Open
1 task done
Labels
auth Related to the Auth category/plugins feature-request Request a new feature

Comments

@kroegerama
Copy link

kroegerama commented May 7, 2024

Before opening, please confirm:

Language and Async Model

Kotlin - Coroutines

Amplify Categories

Authentication

Gradle script dependencies

implementation("com.amplifyframework:core-kotlin:2.16.1")
implementation("com.amplifyframework:aws-auth-cognito:2.16.1")

Describe the bug

All recent versions of com.amplifyframework:aws-auth-cognito pull in an alpha version of okhttp: com.squareup.okhttp3:okhttp:5.0.0-alpha.11 via transitive dependencies.

This is conflicting with our existing dependencies of okhttp 4.12.0, which is the latest stable release of okhttp.

I don't really get, why anyone considered it a good idea to use an alpha version as a dependency. There are even companies that forbid using alpha dependencies in production.

Seems, like the culprit is the aws dependency aws.smithy.kotlin:http-client-engine-okhttp-jvm:1.0.11, which had this bad dependency literally forever. I went to mvnrepository and even version 0.11.0 of this smithy client uses an alpha version. Going forward, the most recent version 1.2.2 also has an alpha dependency.

There was a ticket regarding this, but it was abandoned and closed without a fix. #2632

Is there a plan, when this will be fixed? I have no idea how to integrate cognito without messing up our production releases.

@github-actions github-actions bot added the pending-triage Issue is pending triage label May 7, 2024
@yuhengshs yuhengshs added auth Related to the Auth category/plugins investigating This issue is being investigated and removed pending-triage Issue is pending triage labels May 7, 2024
@yuhengshs
Copy link
Contributor

Hi @kroegerama ,

Thanks for reporting the issue, our team will take a look and post updates here.

@yuhengshs yuhengshs added question General question feature-request Request a new feature and removed investigating This issue is being investigated question General question labels May 7, 2024
@yuhengshs
Copy link
Contributor

Hi @kroegerama ,

Unfortunately, Amplify Android has dependency with aws-kotlin and aws-smithy. We will try to make another request internally and see if any modifications can be done.

@kroegerama
Copy link
Author

Thanks a lot for your follow-up @yuhengshs. I look forward to hearing if your colleagues decide to fix this.

@mehulrewardle
Copy link

mehulrewardle commented Aug 5, 2024

@yuhengshs Any update for this issue. I am also facing the conflict issue with stripe , You should use okhttp3 stable latest version

@tylerjroach
Copy link
Member

@mehulrewardle Unfortunately, we have a hard dependency on the AWS Kotlin SDK, which is using the v5-alpha. We cannot change the OkHttp version on our end unless the AWS Kotlin SDK makes changes first.

For our knowledge, does the Stripe SDK crash if OkHttp is allowed to resolve to the v5-alpha version?

@JGerdes
Copy link

JGerdes commented Sep 6, 2024

Hi @yuhengshs and @tylerjroach, is there any update on this?
As AWS Amplify v1 is officially deprecated, we need to update to v2, but can't due to the compatibility issues with OkHttp3.
Updating from v1 to v2 basically forces us to use an unstable alpha release in our network layer and risking crashes or unwanted behaviour with other libraries that transitively depend on OkHttp.

Could you try to find a solution for this issue?

@github-actions github-actions bot added the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 6, 2024
@lauzadis
Copy link

Hello @JGerdes, I am a developer of the AWS SDK for Kotlin. We have no intentions to downgrade our version of OkHttp. Square claims that OkHttp 5.0.0-alpha.X is production stable, so we recommend you upgrade to resolve the issue:

The alpha releases in the 5.0.0 series have production-quality code and an unstable API. We expect to make changes to the APIs introduced in 5.0.0-alpha.X. These releases are safe for production use and ‘alpha’ strictly signals that we’re still experimenting with some new APIs. If you’re eager for the fixes or features below, please upgrade.
https://square.github.io/okhttp/changelogs/changelog/#version-500-alpha7

Note: The AWS SDK for Kotlin does not use any new APIs from 5.0.0-alpha.X, only pre-existing APIs which are considered stable and supported for production use.

If you are not willing to upgrade your OkHttp version to alpha, then you will need to explore alternate solutions such as dependency shading. Here is a GitHub issue where we've discussed this option in the past. It may be useful if you decide to go this route: awslabs/aws-sdk-kotlin#765 (comment)

@5d 5d removed the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 11, 2024
@jasinmelb
Copy link

We are trying to use the latest Stripe SDK, https://github.com/stripe/stripe-terminal-android/releases which has a dependancy of stable OKHttp lib. We need to use the new version to fix a Stripe bug but are now blocked from upgrading due to the dependancy of the alpha version of the OkHttp lib that aws-auth-cognito is using.

In regard to:

For our knowledge, does the Stripe SDK crash if OkHttp is allowed to resolve to the v5-alpha version?
Yes the stripe sdk crashes.

@github-actions github-actions bot added the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 12, 2024
@vincetran
Copy link
Member

@jasinmelb Unfortunately there isn't much we can do from our side right now due to our dependency on AWS Kotlin SDK. Have you tried to look at alternate solutions like what was mentioned above: awslabs/aws-sdk-kotlin#765 (comment)

@github-actions github-actions bot removed the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 13, 2024
@lauzadis
Copy link

I'm happy to share that we've implemented a workaround to this problem. The latest release of smithy-kotlin (v1.3.9) contains an OkHttp4Engine which depends on OkHttp 4.x instead of 5.0.0-alpha.X.

Take a look at the module's README, give it a try, and let us know if you have any problems!

@github-actions github-actions bot added the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 13, 2024
@vincetran
Copy link
Member

That's awesome! Thanks for the update @lauzadis! For those affected, please try that solution and let us know how it goes for you.

@github-actions github-actions bot removed the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 13, 2024
@vincetran vincetran added the pending-community-response Issue is pending response from the issue requestor label Sep 13, 2024
@vincetran
Copy link
Member

Hm actually looking a little further into the solution, it looks like there's additional work for Amplify to support this. Let me discuss this with the team.

@vincetran vincetran removed the pending-community-response Issue is pending response from the issue requestor label Sep 13, 2024
@JGerdes
Copy link

JGerdes commented Sep 24, 2024

@vincetran Can you share the outcome of the discussion with the team or whether there already is a rough timeline when to expect a release adding support for the OkHttp4Engine option?

@github-actions github-actions bot added the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 24, 2024
@vincetran
Copy link
Member

Hi all, sorry for the late reply. While we do agree that this is something we want to support, we're running a bit stretched right now. We cannot commit to any specific timeline for adding this but we will absolutely keep this issue up-to-date when we have a better idea.

@github-actions github-actions bot removed the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 30, 2024
@JGerdes
Copy link

JGerdes commented Oct 18, 2024

@vincetran any update on this?

@github-actions github-actions bot added the pending-maintainer-response Issue is pending response from an Amplify team member label Oct 18, 2024
@mattcreaser
Copy link
Member

Hi @JGerdes, we don't have any update right now. This is a high-priority improvement so we intend to work on it as soon as there is capacity available.

@github-actions github-actions bot removed the pending-maintainer-response Issue is pending response from an Amplify team member label Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auth Related to the Auth category/plugins feature-request Request a new feature
Projects
None yet
Development

No branches or pull requests

10 participants