signOut CognitoSignOutResult different behavior on iOS and Android

[lokalathlet]

Description

The "signedOutLocally" result in airplane Mode is different on iOS (false) and Android (true). My expectation is, that I can signOut successful on both environments -> "signedOutLocally": true

See the logs for iOS and Android: iOS: `┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────

    │ [debug] | 13:12:12 481ms | ::signOut result: CognitoSignOutResult {

    │   "exception": "NetworkException {\n  \"message\": \"The request failed due to a network error.\",\n  \"recoverySuggestion\": \"Ensure that you have an active network connection\",\n  \"underlyingException\": \"POST https://cognito-idp.eu-central-1.amazonaws.com/? failed: SocketException: Failed host lookup: 'cognito-idp.eu-central-1.amazonaws.com' (OS Error: nodename nor servname provided, or not known, errno = 8)\"\n}",

    │   "signedOutLocally": false

    │ }

    └──────────────────────────────────────────────────────────────────────────────────────────────────────────────

Android: ┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────

I/flutter ( 4454): │ [debug] | 13:30:42 760ms | ::signOut result: CognitoSignOutResult {

I/flutter ( 4454): │ "hostedUiException": "HostedUiException {\n "message": "Failed to perform Hosted UI sign out",\n "recoverySuggestion": "See underlyingException for more details",\n "underlyingException": "PlatformException(CANCELLED, com.amazonaws.amplify.amplify_auth_cognito.HostedUiException$CANCELLED, Cause: null, Stacktrace: com.amazonaws.amplify.amplify_auth_cognito.HostedUiException$CANCELLED\n\tat com.amazonaws.amplify.amplify_auth_cognito.AmplifyAuthCognitoPlugin.cancelCurrentOperation(AmplifyAuthCognitoPlugin.kt:587)\n\tat com.amazonaws.amplify.amplify_auth_cognito.AmplifyAuthCognitoPlugin.onNewIntent(AmplifyAuthCognitoPlugin.kt:542)\n\tat io.flutter.embedding.engine.FlutterEngineConnectionRegistry$FlutterEngineActivityPluginBinding.onNewIntent(FlutterEngineConnectionRegistry.java:799)\n\tat io.flutter.embedding.engine.FlutterEngineConnectionRegistry.onNewIntent(FlutterEngineConnectionRegistry.java:437)\n\tat io.flutter.embedding.android.FlutterActivityAndFragmentDelegate.on

I/flutter ( 4454): │ "globalSignOutException": null,

I/flutter ( 4454): │ "revokeTokenException": "RevokeTokenException {\n "message": "Failed to revoke token",\n "recoverySuggestion": "See underlyingException for more details",\n "underlyingException": "NetworkException {\n \"message\": \"The request failed due to a network error.\",\n \"recoverySuggestion\": \"Ensure that you have an active network connection\",\n \"underlyingException\": \"POST https://cognito-idp.eu-central-1.amazonaws.com/? failed: SocketException: Failed host lookup: 'cognito-idp.eu-central-1.amazonaws.com' (OS Error: No address associated with hostname, errno = 7)\"\n}"\n}",

I/flutter ( 4454): │ "signedOutLocally": true

I/flutter ( 4454): │ }

I/flutter ( 4454): └────────────────────────────────────────────────────────────────────────────────────────────────────────────── `

Categories

• [ ] Analytics
• [ ] API (REST)
• [ ] API (GraphQL)
• [X] Auth
• [ ] Authenticator
• [ ] DataStore
• [ ] Notifications (Push)
• [ ] Storage

Steps to Reproduce

1. SignIn successfully
2. AirPlane Mode on
3. SignOut

Screenshots

No response

Platforms

• [X] iOS
• [X] Android
• [ ] Web
• [ ] macOS
• [ ] Windows
• [ ] Linux

Flutter Version

3.24.0

Amplify Flutter Version

2.3.0

Deployment Method

Amplify Gen 2

Schema

No response

[NikaHsn]

@lokalathlet Sorry that you are facing this issue and thanks for reporting it. We will look into this and get back to you when we have updates.

[NikaHsn]

@lokalathlet do you use sign-in with web UI?

[lokalathlet]

@NikaHsn, you're right. In the Android usecase we're signing in via signing with webui. In the iOS usecase WE login via passkeys finally using signin method. I will doublecheck this, in case we are using passkeys on Android, we getting the same result: signout = false , if we are offline.

[lokalathlet]

[debug] | 9:52:56 764ms | ::signOut result: CognitoSignOutResult { "hostedUiException": null, "globalSignOutException": null, "revokeTokenException": "RevokeTokenException {\n \"message\": \"Failed to revoke token\",\n \"recoverySuggestion\": \"See underlyingException for more details\",\n \"underlyingException\": \"NetworkException {\\n \\\"message\\\": \\\"The request failed due to a network error.\\\",\\n \\\"recoverySuggestion\\\": \\\"Ensure that you have an active network connection\\\",\\n \\\"underlyingException\\\": \\\"POST https://cognito-idp.eu-central-1.amazonaws.com/? failed: SocketException: Failed host lookup: 'cognito-idp.eu-central-1.amazonaws.com' (OS Error: No address associated with hostname, errno = 7)\\\"\\n}\"\n}", "signedOutLocally": true } On Android it works as expected: sign in via passkeys, Set flight modeon, User Press logout, signedOutLocally": true

[tyllark]

Hi @lokalathlet, could you please provide a code snippet for how you are signing in with passkey on iOS.

[Equartey]

Hi @lokalathlet, if you're still experiencing this issue can you please provide a code snippet to help us reproduce the observed behavior?

[lokalathlet]

Hi Equartey, here are the simplified steps how we sign in. It's the same for iOS and Android. It must be clear that we can't provide a minimal working example with all the components of a working Cognito instance and Lambda stuff behind it. I assume that Amazon is in a position to have a running environment where it is possible to recreate the sign-out behavior itself. Let me know if this information is helpful. We flowing the documentation for Flutter authentication from the website.

 final signInResult = await _authCategory.signIn(
      username: username,
      options: const SignInOptions(
        pluginOptions: CognitoSignInPluginOptions(
          authFlowType: AuthenticationFlowType.customAuthWithoutSrp,
        ),
      ),
    );

// platform authenticator called here

 final jsonMap = {
      'response': {
        'credentialId': request.id,
        'authenticatorData': request.authenticatorData,
        'clientDataJSON': request.clientDataJSON,
        'signature': request.signature,
      },
      'challenge': authenticateChallenge,
    };

    final confirmSignInResult = await  _authCategory.confirmSignIn(jsonEncode(jsonMap));

[NikaHsn]

@lokalathlet Amplify flutter Auth does not support signIn with passkey and based on my understanding you've implemented the signin with passkey yourself, correct me if I'm wrong. Do you see this issue when using signin methods that are supported by Amplify Flutter Auth category rather than passkey?

[lokalathlet]

@NikaHsn you are right. We use signInWithWebUI as an alternative. I will give it a try and come back to you.

[NikaHsn]

@lokalathlet thanks for confirming. Let us know if you are facing this issue when using signInWithWebUI.

[lokalathlet]

Hi @NikaHsn, we have further investigated the issue. We rely on the smartphone's time to be set correctly. Therefore, we continuously test scenarios that can occur due to deliberate actions by the user, such as manually changing the time, and the consequences thereof.

We have noticed that when the time is falsified in offline mode, for example, by setting the clock forward or backward, the Amplify sign-out does not work. We are interested to know if you can confirm that an incorrect time setting might possibly affect the sign-out result. In this case, the SignOut result is (same on iOS and Android): │ [error] | 11:33:44 291ms | ::signOut failed CognitoFailedSignOut: CognitoSignOutResult { │ "exception": "NetworkException {\n \"message\": \"The request failed due to a network error.\",\n \"recoverySuggestion\": \"Ensure that you have an active network connection\",\n \"underlyingException\": \"POST https://cognito-idp.eu-central-1.amazonaws.com/? failed: SocketException: Failed host lookup: 'cognito-idp.eu-central-1.amazonaws.com' (OS Error: nodename nor servname provided, or not known, errno = 8)\"\n}", │ "signedOutLocally": false │ }

What can we, as users of the library, do to ensure that signOutLocally: true is always the outcome? Or can you invalidate the tokens locally not rely on a correct time settings of the smartphone? Thanks in advance for your feedback. BR

This is the result, when the time is set back to the correct time: [debug] | 11:34:49 659ms | ::signOut OK CognitoPartialSignOut: CognitoSignOutResult { │ "hostedUiException": null, │ "globalSignOutException": null, │ "revokeTokenException": "RevokeTokenException {\n \"message\": \"Failed to revoke token\",\n \"recoverySuggestion\": \"See underlyingException for more details\",\n \"underlyingException\": \"NetworkException {\\n \\\"message\\\": \\\"The request failed due to a network error.\\\",\\n \\\"recoverySuggestion\\\": \\\"Ensure that you have an active network connection\\\",\\n \\\"underlyingException\\\": \\\"POST https://cognito-idp.eu-central-1.amazonaws.com/? failed: SocketException: Failed host lookup: 'cognito-idp.eu-central-1.amazonaws.com' (OS Error: nodename nor servname provided, or not known, errno = 8)\\\"\\n}\"\n}", │ "signedOutLocally": true │ }

[tyllark]

Hello @lokalathlet, thank you for the additional information. We will look into replicating this issue and will provide guidance to ensure the user is properly logged out.

[lokalathlet]

Hey @tyllark, any update on this issue?

[ekjotmultani]

Hi @lokalathlet , to clarify, you noticed this behaviour with the device time after the user has signed in with web-ui?

[lokalathlet]

Hi @lokalathlet , to clarify, you noticed this behaviour with the device time after the user has signed in with web-ui? see this post for clarification https://github.com/aws-amplify/amplify-flutter/issues/5402#issuecomment-2336585992

[ekjotmultani]

Thanks for the clarification, we are still investigating including communicating with the other Amplify library teams to determine a fix

[lokalathlet]

@ekjotmultani any update on this?

[ekjotmultani]

Hi @lokalathlet, I've been unable to reproduce this issue on Android with a webUI sign in flow. There may be stale auth tokens floating around on the device, is your project using the default Cognito token expirations?

[lokalathlet]

If the user accidentally sets up the wrong time, the sign-out functionality doesn't work anymore. [Talker] ┌────────────────────────────────────────────────────────────────────────────────────────────────────────────── │ [error] | 17:44:35 240ms | ::signOut failed CognitoFailedSignOut: CognitoSignOutResult { │ "exception": "SessionExpiredException {\n \"message\": \"The tokens could not be refreshed\",\n \"recoverySuggestion\": \"Invoke Amplify.Auth.signIn to re-authenticate the user\",\n \"underlyingException\": \"NotAuthorizedException {\\n message=Refresh Token has been revoked,\\n}\"\n}", │ "signedOutLocally": false │ } └──────────────────────────────────────────────────────────────────────────────────────────────────────────────

[tyllark]

Hi @lokalathlet, thanks for the additional information. We will modify our system clock and attempt to reproduce.

[lokalathlet]

Hi @tyllark , any update on this issue?

[tyllark]

Hello @lokalathlet, sorry for the delay this issue fell off our radar. I will attempt to reproduce this issue as my next task.

[tyllark]

Hello @lokalathlet, I'm seeing the difference in behavior when signing out in airplane mode with a normal vs modified time:

Normal:

CognitoSignOutResult {
  "hostedUiException": "HostedUiException {\n  \"message\": \"Failed to perform Hosted UI sign out\",\n  \"recoverySuggestion\": \"See underlyingException for more details\",\n  \"underlyingException\": \"PlatformException(CANCELLED, null, null, null)\"\n}",
  "globalSignOutException": null,
  "revokeTokenException": "RevokeTokenException {\n  \"message\": \"Failed to revoke token\",\n  \"recoverySuggestion\": \"See underlyingException for more details\",\n  \"underlyingException\": \"NetworkException {\\n  \\\"message\\\": \\\"The request failed due to a network error.\\\",\\n  \\\"recoverySuggestion\\\": \\\"Ensure that you have an active network connection\\\",\\n  \\\"underlyingException\\\": \\\"POST https://cognito-idp.us-west-2.amazonaws.com/? failed: SocketException: Failed host lookup: 'cognito-idp.us-west-2.amazonaws.com' (OS Error: nodename nor servname provided, or not known, errno = 8)\\\"\\n}\"\n}",
  "invalidTokenException": null,
  "signedOutLocally": true

Modified:

CognitoSignOutResult {
  "hostedUiException": null,
  "globalSignOutException": null,
  "revokeTokenException": null,
  "invalidTokenException": "InvalidTokenException {\n  \"message\": \"The provided user pool token is invalid\",\n  \"recoverySuggestion\": \"See underlyingException for more details\",\n  \"underlyingException\": \"NetworkException {\\n  \\\"message\\\": \\\"The request failed due to a network error.\\\",\\n  \\\"recoverySuggestion\\\": \\\"Ensure that you have an active network connection\\\",\\n  \\\"underlyingException\\\": \\\"POST https://cognito-idp.us-west-2.amazonaws.com/? failed: SocketException: Failed host lookup: 'cognito-idp.us-west-2.amazonaws.com' (OS Error: nodename nor servname provided, or not known, errno = 8)\\\"\\n}\"\n}",
  "signedOutLocally": true

Can you please update your Amplify Flutter dependencies to the latest version (amplify_auth_cognito: ^2.6.5). In this commit we added error handling for invalid tokens which was blocking sign out.

[lokalathlet]

Thank you, @tyllark We will include this version in regression testing to check the new behavior.