amplify-js icon indicating copy to clipboard operation
amplify-js copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Re-prompt users for OAUTH consent

Open HMilbradt opened this issue 5 years ago • 3 comments

** Which Category is your question related to? ** Auth ** What AWS Services are you utilizing? ** Cognito ** Provide additional details e.g. code snippets ** Hi team,

We have an application using Auth.federatedSignIn({ provider: 'Facebook' }), but ran into a slight problem. We have a Lambda trigger that ensures the user has granted access to their email and returns an error if they disallow it. However, once a user disallows access to it, any subsequent logins will skip the OAuth consent screen, and will fail with the exact same error.

In order for a user to currently fix this, they need to log into Facebook and manually update the permissions to our app before logging in.

What we'd like to do instead is to be able to re-show the Facebook OAuth consent screen where they can change the permissions to their email and try again. Is this currently possible using the Amplify SDK?

We're currently using our own custom sign in pages without the hosted UI, so ideally something like Auth.federatedSignIn({ provider: 'Facebook', request_permissions: true }) would be perfect if it exists. Thanks!

HMilbradt avatar Jan 09 '20 18:01 HMilbradt

The revocation & re-requesting of permissions is handled by the given OAuth provider. If you're using Facebook, you can use the Facebook SDK directly and specify auth_type(docs here). This StackOverflow post sums it up quite nicely.

harrysolovay avatar Sep 04 '20 23:09 harrysolovay

After some poking around in the code, I realized that this is actually a problem with Cognito rather than Amplify. However, it sort of defeats the purpose of an auth package if you need to reach for the underlying social providers just to fix a fairly common problem.

After more snooping around, I saw that Auth0 works around this by allowing the user to supply additional parameters in their login flows.. Something like Auth.federatedSignIn({ provider: 'Facebook', additional_parameters: { auth_type: 'reauthorize' } }) would be really handy, especially considering this won't be the last issue we have with our social providers.

Thought I'd share this as I'm not sure how tightly integrated your two teams are. I have to say, I've been so incredibly impressed with Amplifies progress over the past couple years, and so utterly frustrated with the state of Cognito. They could certainly learn something from your team.

Anyways, thanks for the answer.

HMilbradt avatar Sep 09 '20 01:09 HMilbradt

Similar to https://github.com/aws-amplify/amplify-js/issues/4044

nadetastic avatar Apr 12 '23 19:04 nadetastic