Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amplify can't recognize that the user already signed in (using Cognito@Edge). #39

Open
George-Saad opened this issue Jun 30, 2022 · 4 comments
Open

Amplify can't recognize that the user already signed in (using Cognito@Edge). #39

George-Saad opened this issue Jun 30, 2022 · 4 comments

Comments

@George-Saad
Copy link

George-Saad commented Jun 30, 2022
edited
Loading

Amplify.configure({
Auth: {
// REQUIRED - Amazon Cognito Region
region: 'xxx',
userPoolId: 'xxx',
userPoolWebClientId: 'xxx',
localStorage: {
domain: 'xxx.cloudfront.net',
},
oauth: {
domain: 'xxx.auth.eu-west-1.amazoncognito.com/',
scope: ['openid', 'email'],
redirectSignIn: 'https://xxx.cloudfront.net/',
redirectSignOut: 'https://xxx.cloudfront.net/',
responseType: 'code'
}
},
API: {
"Access-Control-Allow-Origin": "*",
"Content-Type": "text/html; charset=UTF-8",
"X-Content-Type-Options": "nosniff"
}
});

Using this configuration amplify can't recognize that the user already signed in (using Cognito@Edge).
Running Auth.currentAuthenticatedUser() gives user not authenticated error, however if I run this after Auth.SignIn() i get a valid response.
@jeandek jeandek assigned jeandek and unassigned jeandek Jul 1, 2022
@jeandek
Copy link
Contributor

jeandek commented Jul 1, 2022

Hi,

This may be an issue with your cookie configuration. When you load your app and before you run Auth.SignIn(), do you have any Cognito-related cookies set in your browser for your application domain?

@ss7pro
Copy link

ss7pro commented Jul 4, 2022

I have the same problem, cognito cookies are not send to *.cloudfront.net domain.

@jeandek
Copy link
Contributor

jeandek commented Jul 4, 2022

Here's what you should expect to see in your browser's Network tab when you try to access the CloudFront distribution that is being secured by Cognito@Edge (assuming you're not using a federated auth provider).

  1. GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/ -> 302
  2. GET <COGNITO_USERPOOL_DOMAIN>/authorize -> 302
  3. GET <COGNITO_USERPOOL_DOMAIN>/login -> 200
  4. Requests to another CloudFront distribution for style-sheets and scripts.
  5. POST <COGNITO_USERPOOL_DOMAIN>/login?redirect_uri=<CLOUDFRONT_DISTRIBUTION_DOMAIN> -> 302
  6. GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/?code=<UUID>&state=/ -> 302
  7. GET <CLOUDFRONT_DISTRIBUTION_DOMAIN>/ -> 200

The response of 6 should contain the authentication cookies (see source code).

@BredoGen
Copy link

Leaving the answer for someone who will face this problem in future:

To make Amplify able to authenticate user after the cognito-at-edge it should be configured to use cookies storage (it doesn't by default whereas cognito-at-edge saves tokens there).

Something like that:

Amplify.configure({
    Auth: {
        region: awsExports.REGION,
        userPoolId: awsExports.USER_POOL_ID,
        userPoolWebClientId: awsExports.USER_POOL_APP_CLIENT_ID,
        mandatorySignIn: true,
        cookieStorage: {
          domain: 'subdomain.example.com',
          secure: true,
          path: '/',
          expires: 365,
        },
        oauth: {
            domain: '...',
            scope: ['email', 'openid'],
            redirectSignIn: '...',
            redirectSignOut: '...',
            responseType: 'code',
        },
    }
});

Issue author has wrong amplify configuration with local storage, it will fail to find cognito-at-edge tokens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@BredoGen @ss7pro @jeandek @George-Saad