amplify-android icon indicating copy to clipboard operation
amplify-android copied to clipboard
verified publisher icon aws-amplify

aws-auth-cognito unusable - is pulling in an old alpha version of okhttp

Open kroegerama opened this issue 1 year ago • 16 comments

Before opening, please confirm:

Language and Async Model

Kotlin - Coroutines

Amplify Categories

Authentication

Gradle script dependencies

implementation("com.amplifyframework:core-kotlin:2.16.1")
implementation("com.amplifyframework:aws-auth-cognito:2.16.1")

Describe the bug

All recent versions of com.amplifyframework:aws-auth-cognito pull in an alpha version of okhttp: com.squareup.okhttp3:okhttp:5.0.0-alpha.11 via transitive dependencies.

This is conflicting with our existing dependencies of okhttp 4.12.0, which is the latest stable release of okhttp.

I don't really get, why anyone considered it a good idea to use an alpha version as a dependency. There are even companies that forbid using alpha dependencies in production.

Seems, like the culprit is the aws dependency aws.smithy.kotlin:http-client-engine-okhttp-jvm:1.0.11, which had this bad dependency literally forever. I went to mvnrepository and even version 0.11.0 of this smithy client uses an alpha version. Going forward, the most recent version 1.2.2 also has an alpha dependency.

There was a ticket regarding this, but it was abandoned and closed without a fix. #2632

Is there a plan, when this will be fixed? I have no idea how to integrate cognito without messing up our production releases.

kroegerama avatar May 07 '24 17:05 kroegerama

Hi @kroegerama ,

Thanks for reporting the issue, our team will take a look and post updates here.

yuhengshs avatar May 07 '24 18:05 yuhengshs

Hi @kroegerama ,

Unfortunately, Amplify Android has dependency with aws-kotlin and aws-smithy. We will try to make another request internally and see if any modifications can be done.

yuhengshs avatar May 08 '24 18:05 yuhengshs

Thanks a lot for your follow-up @yuhengshs. I look forward to hearing if your colleagues decide to fix this.

kroegerama avatar May 08 '24 20:05 kroegerama

@yuhengshs Any update for this issue. I am also facing the conflict issue with stripe , You should use okhttp3 stable latest version

mehulrewardle avatar Aug 05 '24 05:08 mehulrewardle

@mehulrewardle Unfortunately, we have a hard dependency on the AWS Kotlin SDK, which is using the v5-alpha. We cannot change the OkHttp version on our end unless the AWS Kotlin SDK makes changes first.

For our knowledge, does the Stripe SDK crash if OkHttp is allowed to resolve to the v5-alpha version?

tylerjroach avatar Aug 05 '24 12:08 tylerjroach

Hi @yuhengshs and @tylerjroach, is there any update on this? As AWS Amplify v1 is officially deprecated, we need to update to v2, but can't due to the compatibility issues with OkHttp3. Updating from v1 to v2 basically forces us to use an unstable alpha release in our network layer and risking crashes or unwanted behaviour with other libraries that transitively depend on OkHttp.

Could you try to find a solution for this issue?

JGerdes avatar Sep 06 '24 13:09 JGerdes

Hello @JGerdes, I am a developer of the AWS SDK for Kotlin. We have no intentions to downgrade our version of OkHttp. Square claims that OkHttp 5.0.0-alpha.X is production stable, so we recommend you upgrade to resolve the issue:

The alpha releases in the 5.0.0 series have production-quality code and an unstable API. We expect to make changes to the APIs introduced in 5.0.0-alpha.X. These releases are safe for production use and ‘alpha’ strictly signals that we’re still experimenting with some new APIs. If you’re eager for the fixes or features below, please upgrade. https://square.github.io/okhttp/changelogs/changelog/#version-500-alpha7

Note: The AWS SDK for Kotlin does not use any new APIs from 5.0.0-alpha.X, only pre-existing APIs which are considered stable and supported for production use.

If you are not willing to upgrade your OkHttp version to alpha, then you will need to explore alternate solutions such as dependency shading. Here is a GitHub issue where we've discussed this option in the past. It may be useful if you decide to go this route: https://github.com/awslabs/aws-sdk-kotlin/issues/765#issuecomment-1374093175

lauzadis avatar Sep 11 '24 16:09 lauzadis

We are trying to use the latest Stripe SDK, https://github.com/stripe/stripe-terminal-android/releases which has a dependancy of stable OKHttp lib. We need to use the new version to fix a Stripe bug but are now blocked from upgrading due to the dependancy of the alpha version of the OkHttp lib that aws-auth-cognito is using.

In regard to:

For our knowledge, does the Stripe SDK crash if OkHttp is allowed to resolve to the v5-alpha version? Yes the stripe sdk crashes.

jasinmelb avatar Sep 12 '24 00:09 jasinmelb

@jasinmelb Unfortunately there isn't much we can do from our side right now due to our dependency on AWS Kotlin SDK. Have you tried to look at alternate solutions like what was mentioned above: https://github.com/awslabs/aws-sdk-kotlin/issues/765#issuecomment-1374093175

vincetran avatar Sep 13 '24 18:09 vincetran

I'm happy to share that we've implemented a workaround to this problem. The latest release of smithy-kotlin (v1.3.9) contains an OkHttp4Engine which depends on OkHttp 4.x instead of 5.0.0-alpha.X.

Take a look at the module's README, give it a try, and let us know if you have any problems!

lauzadis avatar Sep 13 '24 22:09 lauzadis

That's awesome! Thanks for the update @lauzadis! For those affected, please try that solution and let us know how it goes for you.

vincetran avatar Sep 13 '24 22:09 vincetran

Hm actually looking a little further into the solution, it looks like there's additional work for Amplify to support this. Let me discuss this with the team.

vincetran avatar Sep 13 '24 22:09 vincetran

@vincetran Can you share the outcome of the discussion with the team or whether there already is a rough timeline when to expect a release adding support for the OkHttp4Engine option?

JGerdes avatar Sep 24 '24 08:09 JGerdes

Hi all, sorry for the late reply. While we do agree that this is something we want to support, we're running a bit stretched right now. We cannot commit to any specific timeline for adding this but we will absolutely keep this issue up-to-date when we have a better idea.

vincetran avatar Sep 30 '24 21:09 vincetran

@vincetran any update on this?

JGerdes avatar Oct 18 '24 08:10 JGerdes

Hi @JGerdes, we don't have any update right now. This is a high-priority improvement so we intend to work on it as soon as there is capacity available.

mattcreaser avatar Oct 18 '24 12:10 mattcreaser

New year, new chances - any update here @mattcreaser, @vincetran ? We're really looking forward to upgrade to Amplify 2

JGerdes avatar Jan 10 '25 09:01 JGerdes

Hi @JGerdes thanks for the poke. I'm working on this right now and I hope to have an update for you soon.

mattcreaser avatar Jan 10 '25 16:01 mattcreaser

I've opened #2970 for this issue.

mattcreaser avatar Jan 13 '25 16:01 mattcreaser

This has been released in Amplify 2.26.0

There are instructions on how to use OkHttp4 available here. For Amplify 2.26.0 the correct version of the smithy dependency is 1.3.23.

We're hoping to improve this feature in the future via releasing a BOM, but this should be enough to get you started. Please try it out and let us know if you encounter any issues!

mattcreaser avatar Jan 17 '25 14:01 mattcreaser

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar Jan 17 '25 14:01 github-actions[bot]