amplify-swift
amplify-swift copied to clipboard
aws-amplify
Can Cognito Endpoint be changed without invalidating tokens?
We've been using the default endpont for our Cognito user pool but would like to start using a custom proxy endpoint (without changing the underlying pool).
When taking the naive approach of specifying the endpoint in the amplify config (below), the user appears to be logged out on launch (without any network calls being made).
"CognitoUserPool": {
"Default": {
"Endpoint": "idp.example.com",
"PoolId": "eu-west-XXX",
"AppClientId": "XXX",
"Region": "eu-west-1"
}
},
I'm not clear on exactly why this is but I'm guessing it's because the previously issued tokens have an issuer that is at https://cognito-idp.eu-west-1.amazonaws.com.
Is there any mechanism by which we can start using our new endpoint while retaining the validity of existing tokens / sessions?
This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@knellr Thanks for opening the issue, I will investigate and provide you an update soon.
@knellr Would you be able to try session-dropping-endpoint-change branch via SPM and validate if this fixes your issue?
Thanks for the response. The issue persists with the new branch. I hit the following breakpoint:
I think I understand what's happening though: We recently removed auth.plugins.awsCognitoAuthPlugin.CredentialsProvider.CognitoIdentity from our configuration as we no longer use Pinpoint Analytics. The two changes together are causing an issue:
- Removing the identity provider -> User stays signed in
- Adding the endpoint (new branch) -> User stays signed in
- Removing the identity provider and adding the endpoint -> User is signed out
In our case, oldAuthConfigData != currentAuthConfig evaluates to true since the identity provider has been removed.
@knellr I will discuss this internally within the team and let you know if we should skip identity config check when we have a valid user pool session.
We remove the keychain, because name spacing, sessions and tokens are tied to the both user pool and identity pool. Since now you are moving to just using user pool, the config thinks this is an entirely new config.
Internal state of credentials is:
- User Pool only
- Identity Pool only
- User Pool and Identity Pool
The current logic will remove the keychain if we try to move between these credential states.
Thanks. What I'm observing is that transitioning from identity + user to user by itself isn't logging the user out however. Is this also unexpected?
As an update: We found that users were being logged out when moving from user + identity to user so haven't released that change. These (removing identity and adding custom endpoints) are both changes we would like to make but are unable to due to the logouts.
@knellr Thanks for the update. I am actively in talks to find a solution for the issue and will get back to you soon.
@knellr I added the changes in the latest PR and tested adding/removing identity pools to an already existing session. Let me know how that works for you, and I can push the release soon.
@harsh62 I've just tested with the latest main and I'm not logged out when both removing the identity pool and adding an Endpoint.
Thanks a lot for your help, and I look forward to an official release!
This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.