amplify-flutter icon indicating copy to clipboard operation
amplify-flutter copied to clipboard
verified publisher icon aws-amplify

Auth.signInWithWebUI with AuthProvider.custom redirect URI issue

Open alegos27 opened this issue 1 year ago • 18 comments

Description

When using Amplify's signInWithWebUI(provider: AuthProvider.custom(provider)) function with a custom provider, the WebUI does not return to the application after a successful third-party login. Instead, it navigates to the Cognito authentication base URL and shows an error message: "Something went wrong. Please try again." Closing the WebView manually leaves no authenticated session in Amplify. This issue is unique to custom providers since the same flow with social logins, such as signInWithWebUI(provider: AuthProvider.google), works correctly using identical configurations.

Categories

  • [ ] Analytics
  • [ ] API (REST)
  • [ ] API (GraphQL)
  • [X] Auth
  • [ ] Authenticator
  • [ ] DataStore
  • [ ] Notifications (Push)
  • [ ] Storage

Steps to Reproduce

1.) Amplify Configuration and Init

Use this configuration:

final String amplifyConfig = '''
{
  "UserAgent": "aws-amplify-cli/2.0",
  "Version": "1.0",
  "auth": {
      "plugins": {
          "awsCognitoAuthPlugin": {
              "IdentityManager": {
                  "Default": {}
              },
              "CognitoUserPool": {
                  "Default": {
                      "PoolId": "${Env().cognitoPoolId}",
                      "AppClientId": "${Env().cognitoAppClientId}",
                      "Region": "${Env().awsRegion}"
                  }
              },
              "Auth": {
                  "Default": {
                      "authenticationFlowType": "CUSTOM_AUTH",
                      "OAuth": {
                          "WebDomain": "${Env().cognitoAuthDomain}",
                          "AppClientId": "${Env().cognitoAppClientId}",
                          "SignInRedirectURI": "myapp://",
                          "SignOutRedirectURI": "myapp://",
                          "Scopes": [ 
                              "phone",
                              "email",
                              "openid",
                              "profile",
                              "aws.cognito.signin.user.admin"
                          ]
                      }
                  }
              }
          }
      }
  }
}
''';

Init Amplify in main.dart:

await Amplify.addPlugin(AmplifyAuthCognito());
await Amplify.configure(amplifyConfig);

2.) Call signInWithWebUI function:
Use the following function to initiate a sign-in with a third-party provider via Amplify's WebUI:

final result = await Amplify.Auth.signInWithWebUI(
   provider: AuthProvider.custom(provider),
   options: const SignInWithWebUIOptions(
     pluginOptions: CognitoSignInWithWebUIPluginOptions(
       isPreferPrivateSession: true,
     ),
   ),
);

3.) Complete the Third-Party Authentication:

  • In the WebUI that appears, log in using the selected third-party provider credentials.

4.) Observe the Redirection:

  • Instead of redirecting to the application, the WebView directs to the Cognito authentication base URL.
  • In the WebView, there is an error message: "Something went wrong. Please try again."

5.) Close the WebView:

  • If you close the WebUI manually, you'll notice that no authenticated session is established in Amplify.
  • On Android Console: D/AmplifyAuthCognitoPlugin( 5776): [cancelCurrentOperation] Canceling with state: signInResult=com.amazonaws.amplify.amplify_auth_cognito.AtomicResult@4dde50c, signOutResult=null

Screenshots

Simulator Screenshot - iPhone 15 - 2024-05-09 at 10 22 04 Simulator Screenshot - iPhone 15 - 2024-05-09 at 10 22 21 Simulator Screenshot - iPhone 15 - 2024-05-09 at 10 23 03

Platforms

  • [X] iOS
  • [X] Android
  • [ ] Web
  • [ ] macOS
  • [ ] Windows
  • [ ] Linux

Flutter Version

3.19.6

Amplify Flutter Version

2.0.0

Deployment Method

Custom Pipeline

Schema

No response

alegos27 avatar May 09 '24 13:05 alegos27

Hi @alegos27, we will look into this issue and get back to you with any updates.

khatruong2009 avatar May 09 '24 17:05 khatruong2009

Hi @alegos27, in the first two screenshots, are you using the AuthProvider.google and showing that it is working? Or are all 3 screenshots part of a single unsuccessful sign in flow? Are you using AuthProvider.custom for your Google sign ins? Can you give us some more details on your custom auth provider?

khatruong2009 avatar May 09 '24 19:05 khatruong2009

Hi @khatruong2009, the first two screenshots show AuthProvider.custom, but used with Google as the SSO authenticator. We encounter the same issue with other providers like Azure. So, all three screenshots depict a single unsuccessful sign-in flow. When we use Google SignIn with AuthProvider.google, it works seamlessly, as it does with Apple and Facebook; the sign-in flow, including redirects, works correctly. We're using the Cognito identity provider as a custom SSO auth provider, leveraging SAML or OIDC (90% SAML) for corporate authentication systems that have their own provider. We also try using AuthProvider.saml() but with the same result. If you need more details, feel free to ask. Screenshot 2024-05-10 alle 14 09 04

alegos27 avatar May 10 '24 12:05 alegos27

@alegos27 thank you for providing these details. we will look into this issue and get back to you with any updates.

NikaHsn avatar May 14 '24 21:05 NikaHsn

@alegos27 in the amplify configuration I noticed that you are using "authenticationFlowType": "CUSTOM_AUTH", would you please confirm that you are using sign-in with custom auth flow with AWS Lambda triggers?

NikaHsn avatar May 15 '24 18:05 NikaHsn

@NikaHsn Yes, I can confirm that we are using a custom authentication flow with AWS Lambda triggers in the auth flow with email (Amplify.Auth.signIn). However, for the Amplify.Auth.signInWithWebUI function, we are not using the custom authentication flow. Instead, we use identity providers configured in Cognito as you can see in the screenshots above.

alegos27 avatar May 16 '24 09:05 alegos27

@alegos27 thank you for providing these details. we will look into this and get back to you with any updates.

NikaHsn avatar May 16 '24 17:05 NikaHsn

same issue here, any updates? Thanks

dagovalsusa avatar May 21 '24 14:05 dagovalsusa

Hi @dagovalsusa, no updates yet. We still need to reproduce this. We will update when we have more information.

Equartey avatar May 23 '24 19:05 Equartey

Thank you @Equartey But, maybe cognito configuration (Server side) is wrong or not compatible with signInWithWebUI flow? Because I tried to use oauth2 REST API flow (https://docs.aws.amazon.com/it_it/cognito/latest/developerguide/token-endpoint.html), and it is ok, I receive id_token, access and refresh. So, meanwhile that you will try to reproduce this case, I can have a way to set inside Amplify plugin the tokens get? I've also tried with Amplify.Auth.getPlugin(AmplifyAuthCognito.pluginKey).federateToIdentityPool(token: response.data["access_token"], provider: AuthProvider.custom(provider)) where access_token is get from oauth2 rest api flow, but doesn't work with response error

InvalidAccountTypeException {
  "message": "No identity pool registered for this account",
  "recoverySuggestion": "Register an identity pool using the CLI"
}

dagovalsusa avatar May 27 '24 15:05 dagovalsusa

@dagovalsusa - There is no way to manually set the tokens. There is a feature request for this (https://github.com/aws-amplify/amplify-flutter/issues/593) but it is not something that is in the roadmap.

Jordan-Nelson avatar May 28 '24 17:05 Jordan-Nelson

I have identified the root cause of the problem. The Cognito authentication for SSO fails when using a custom domain instead of the default Cognito domain. Specifically, if we do not use the domain format xxxxxx.eu-west-1.amazoncognito.com, the login process fails even when using just the browser.

@alegos27, could you please check this on your side as well?

Thank you!

dagovalsusa avatar Jun 06 '24 07:06 dagovalsusa

@dagovalsusa that solution works! Thanks!

alegos27 avatar Jun 06 '24 07:06 alegos27

@dagovalsusa thanks for providing that context. We'll investigate how to best address this and update yall here.

Equartey avatar Jun 06 '24 19:06 Equartey

Hi @alegos27, are you returning to the same Hosted UI URL that the request was initiated from? Did the request start on the custom domain and also return to that same custom domain?

khatruong2009 avatar Jul 12 '24 16:07 khatruong2009

@alegos27 and @dagovalsusa - if you are still facing this issue can you please see the question above? Thanks.

Jordan-Nelson avatar Jul 25 '24 19:07 Jordan-Nelson

Hi @khatruong2009, I think so. Our configuration is simply a custom domain before the cognito domain xxxxxx.eu-west-1.amazoncognito.com But, the returnig url is our app scheme (example app://)

dagovalsusa avatar Jul 29 '24 08:07 dagovalsusa

Hi @dagovalsusa, the redirect to the app scheme looks fine, that shouldn't be an issue. Could you provide a HAR file so that we can debug and see if the redirect is being changed inadvertently somewhere along the line? Thanks.

khatruong2009 avatar Aug 19 '24 16:08 khatruong2009