amplify-android icon indicating copy to clipboard operation
amplify-android copied to clipboard
verified publisher icon aws-amplify

Custom Http headers in Amplify Auth (signInWIthSocialWebUI)

Open nadetastic opened this issue 1 year ago • 1 comments

Before opening, please confirm:

Language and Async Model

Not applicable

Amplify Categories

Authentication

Gradle script dependencies

// Put output below this line

Environment information

# Put output below this line

Please include any relevant guides or documentation you're referencing

No response

Describe the feature request

Amplify Auth social sign-in operations e.g. signinWithSocialWebUI to support passing custom HTTP headers or parameters, In this use case, the custom HTTP headers are need since the OAuth/HostedUI provider endpoints are proxied via 3rd party service Akamai which implement bot protection that works by requiring a custom header "x-acf-sensor-data" to be included with the request. It appears the initial request (/authorize) seems to work fine, however it seems request to /token are blocked since the custom header is not present.

Initialization steps (if applicable)

No response

Code Snippet

// Put your code below this line.

amplifyconfiguration.json

No response

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response

nadetastic avatar Feb 14 '24 16:02 nadetastic

We will have to further investigate the approach. I'm not sure this custom header will be allowed by the Custom Tab as it is not on the approved list of headers.

See here: https://developer.chrome.com/docs/android/custom-tabs/howto-custom-tab-request-headers

The proxy url would have to be owned by the customer and configured with a digital asset link: https://developer.chrome.com/docs/android/custom-tabs/howto-custom-tab-request-headers#set_up_digital_asset_links

There are 2 additional endpoints to consider.

  1. {domain}/oauth2/token to exchange the token for AWSCredentials. If we were able to build out the options for signInWithWebUI to allow custom headers, it would be feasible to add the headers to this request as well.
  2. When refreshing tokens, Amplify will directly hit Cognito endpoints using the Kotlin SDK. There is no mechanism to inject custom headers into these requests, nor change the endpoint.

I'm not sure how the first /authorize call would work, unless the cutomer is able to get the cookie by completing a captcha through the CustomTab. However, whatever cookies that are granted while inside of the custom tab will not be available to the client application to make the subsequent token call.

A potential solution would require the cookie header to be present at the initial signInWithWebUI method call.

tylerjroach avatar Feb 14 '24 16:02 tylerjroach