How can I login or logout using the streams API?

[sromocki]

Hello,

I was wondering if it's possible to log an agent in and out using the Streams API. Since I will be eventually hiding the Amazon CCP application I need to be able to do this functionality. Also, is SSO a possibility?

Thanks,
Sean

[autrey]

No, unfortunately. Your users will need to log into Connect first, or you can have the Streams API pop-up the login screen. It’s not ideal, but that’s the state of the state.

…

On Aug 10, 2017, 2:43 PM -0500, Sean Romocki ***@***.***>, wrote: Hello, I was wondering if it's possible to log an agent in and out using the Streams API. Since I will be eventually hiding the Amazon CCP I need to be able to do this functionality. Thanks, Sean — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[sromocki]

@autrey Understood. Are there any plans for alternative authentication options in the future?

[KDLGates]

Just chiming in that this is also an issue for us. As much as AWS deserves credit for a good product, in our CMS we want to downplay the Amazon Connect branding (I'm sure they've heard that before), and it looks (and kind of is) unprofessional to have a pop-up in the middle of the login flow, especially since it means we also have to instruct how to disable Chrome's built-in pop-up blocker which catches it.

Our workaround is to have a "Login" button that really just stands in front of the call to initializing the CCP and letting it summon the pop-up.

I've read that AWS supports Kerberos authentication, but we would require it without the Microsoft Active Directory baggage, and I don't know if it's feasible for us to evaluate a custom solution and give certificates to each user.

Long story short: Amazon, please give us login and logout options for our users, whether it's part of the amazon-connect-streams API or a part of the broader Amazon Connect service offering. It "shouldn't" be, but a clunky second login stream for agents is a big quality issue, and it seems like it should be fixable to give us developers more control without going all the way to requiring Microsoft Active Directory or Kerberos.

[HandyG52]

I agree with the concerns others have expressed on this thread. My team is currently evaluating this product as well as other similar services for a new webapp. Amazon connect excels in some areas, but the login mechanism for connect requiring its own popup - once already granted access to our webapp - is too cumbersome. Also, once authenticated it doesn't close the popup, but instead remains open with just the ccp in the tab. The user has to switch tabs back to our webapp.

[autrey]

@sromocki Unfortunately, I haven't heard, but I'm not on the Amazon team. My team has worked with Connect as a very early partner, but I don't have that kind of insider knowledge :-) I'll post if I hear anything I'm able to share. I do agree with everyone that this is a very reasonable and desirable feature to have.

PS - (Just an idea) If your organization has AWS support, complete a support ticket referencing this issue. I do know that the Connect team is adjusting their roadmap based on customer feedback. The more votes for this, the closer it is to becoming a reality.

I'll create a ticket as well.

[pavanrachapudy]

When I authenticate with my amazon connect credentials on the other page and when i come to my web page, it is taking lot of time to trigger connect.agent(...). Is there something, I am missing. Any help on this would be appreciated.

[ninjamike54]

There are a few questions here so I'll answer them as accurately as I can:

1. Is it possible to sign in and out using the streams API?
   -- No, you will have to sign in using the standard signin process in order to get an auth token - the signin logic itself, beyond opening a popup window, isn't built into streams
2. Is SSO a possibility?
   -- Actually, we just released this in private preview last week. You can read the announcement at https://aws.amazon.com/about-aws/whats-new/2018/01/amazon-connect-adds-federated-single-sign-on-using-saml-2-0-available-in-preview/
3. Why doesn't the login popup close after signing in?
   -- We're aware that this is a pain point, and will work on improving it in the future (but I unfortunately don't have a time commitment I can give)

[mschersten]

I see that there is an application for the preview, but is there any further documentation on how this would work? We do not currently have or need SSO, but would consider using it if only to cleanup the login process. Does using implementing SSO just for this purpose seem reasonable, or would it make more sense to just wait for point (3) to be addressed?

[AzerinnD]

@ninjamike54 in your post on Jan 30th you said that you can't log in via the streams API; however, you didn't mention log out. Is there a way to log out the agent via the streams API? If not, is there anyway to allow an agent to log out if we have the CCP hidden inside an iframe and not visible to the user?

[mschersten]

@AzerinnD

There's nothing in the documentation for this, but you could dig through the source code to find something. I bet it's not there, but here's a thought:

Since we already have to use the login page, and can't hide the Connect branding yet, it might not be too painful for you to provide a link to the CCP in a new window (https://INSTANCE.awsapps.com/connect/ccp#/), and the user could log out from there. It's not a pretty solution, but a way to get out of embedding the stock CCP if that was the only reason to do so.

[AzerinnD]

@mschersten I have been trying to dig through the source but haven't gotten anywhere so far. I had already manually tried doing what you are suggesting; however, there seem to be issues with that. For one thing I am not getting the connect.EventType.AUTH_FAIL or connect.EventType.TERMINATE event in my page. It looks like the embedded CCP is trying to display the login page; however, it isn't trying to use a popup in this case and all I see in the console is:

Refused to display 'https://INSTANCE.awsapps.com/connect/login?landat=%2Fconnect%2Fccp#/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

If I can catch the fact that the agent isn't logged in anymore in my page I could do something to indicate that; however, I haven't found a way to catch that as of yet.

[AzerinnD]

Apperently I needed to subscribe to the connect.EventType.TERMINATED event instead of the connect.EventType.TERMINATE event. That gets hit when the agent logs out from the CCP in another window.

Thank you @mschersten :)

[AbbyJonesDev]

@AzerinnD - I tried your strategy today, but it doesn't seem to work for me. As a starting place, I just did this:

connect.core.eventBus.subscribe(connect.EventType.TERMINATED, () => console.log('Logout event'));

Then I tried logging out in a separate tab, but the callback was never fired. Do you see something I'm missing?

Our workaround for logging out right now is to include a "Logout" link in our UI that does a few cleanup things and then redirects to https://INSTANCE.awsapps.com/connect/logout
This does the job as long as agents remember to use our link, but it doesn't give us a chance to update the UI if they use the logout link embedded in the iframe or logout from a different tab.

I was glad to find this thread. We're really hoping for cleaner login and logout options soon, too.

EDIT: Scratch the first part. I was looking at another issue and realized what I was missing. In case anyone else needs it, this works:

let eventBus = connect.core.getEventBus();
  eventBus.subscribe(connect.EventType.TERMINATED, function () {
    console.log('Logged out');
    // Do stuff...
  });

Thanks for the tip on how to get this info!

[ninjamike54]

Sorry, I completely forgot to mention logging out in my previous answer. I can see logging out as something that we would give API access to; I'm not sure whether it would be natively on the Streams API (we'll have to figure out what that would look like), but it might make sense.

Logging in, however, is unlikely in my view to end up on the Streams API since it's fundamentally designed to interact with an authenticated user. It's possible to programmatically sign in and initialize the Streams library with that authentication context (via SAML / SSO which I linked above and has fully launched at this point), but I find it doubtful that there'll be a direct API within THIS library for signing in.

I'll cut a tracking item on our side to look into exposing logout on Streams, and what that would involve. Hold tight for an update, I'll let you all know when I know more.

[AbbyJonesDev]

@ninjamike54 - Thanks for keeping us posted.

I think we'd be ok with a separate login tab as long as there's some way to close it and/or redirect the user back to the custom UI after they log in.

[mschersten]

I want to share an idea that I've suggested to AWS support. While it sounds like getting rid of the login page altogether isn't going to be possible, if we could just replace the Connect logo with our own image that would remove the most visible branding. The url will still include awsapps, but that's a little less intrusive then the logo itself. I envision this as a part of the AWS console rather than the Connect console, where we set recording and whitelisting and available Lexbots and things like that.

[AzerinnD]

@mschersten between that and allowing us to supply a redirect url, a config option to display a simple page saying to close the window, or something along similar lines (so that after login the regular CCP is not displayed). It would go a long way towards solving the issues with agent login (at least for us)

[CiscoKidxx]

@mschersten between that and allowing us to supply a redirect url, a config option to display a simple page saying to close the window, or something along similar lines (so that after login the regular CCP is not displayed). It would go a long way towards solving the issues with agent login (at least for us)

@ninjamike54 - Thanks for the details to date. Have any of the requests from this topic made it onto a roadmap? I'm most interested in login branding and redirect URL.

[alxx]

Refused to display 'https://INSTANCE.awsapps.com/connect/login?landat=%2Fconnect%2Fccp#/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

I've got the very same issue; once I've logged out using the link in the iframe, I can't log back in because of the error above. The first request to the ccpUrl, which is 'https://INSTANCE.awsapps.com/connect/ccp#', returns a Location header:

Location: /connect/login?landat=%2Fconnect%2Fccp

But then the same server complains about its own X-Frame-Options. That's a bit silly.

I'm using SAML here for federated SSO.

[james-work-account]

I'll cut a tracking item on our side to look into exposing logout on Streams, and what that would involve. Hold tight for an update, I'll let you all know when I know more.

Hi @ninjamike54 - has any progress been made on this?

The best I've managed so far is to call the /connect/logout route (with something like window.open(url, "_blank")) and then refresh the page (with something like window.location.reload()), but this isn't a viable option for me since I'm using React and lose all state on a page refresh; I don't want to have to start storing state in localStorage or something just because there's no other solution.

[ctwomblyamzn]

Hi, this thread has been open a long time, and its something that we are still aware of. An internal team is working on this feature, but it is a big effort, so I'm unable to a proper estimate for when our authentication story will improve. When we do release this change, it will be announced in this repo and by Amazon Connect as an organization.

[CiscoKidxx]

@ctwomblyamzn - 10 months later, looking for an update.

[ctwomblyamzn]

Hi @CiscoKidxx unfortunately, no updates to share. We are still aware of the feature request and it is being tracked. That's all of the information I have at this time.

[jbflow]

Any news on this? Considering implementing SSO but a Log in/out option in the API/SDK/CLI in some form would be really useful.

[thtliife]

Are the connect users stored using a cognito pool?
I ask because amplify has the ability to use cognito pools for login without requiring additional popups etc, and I imagine we could leverage that if we had some way of interacting with the pool that users are in (If it is indeed cognito)

[vtrofin]

I think we're encountering a similar issue to what @alxx and @AzerinnD have described above. We log-out by calling the /connect/logout route and then when signing back in I receive the following error

connect-streams.js:28323 Uncaught StateError: There is no upstream conduit!
    at new connect2.StateError (connect-streams.js:32757:20)
    at connect2.core.getUpstream (connect-streams.js:28323:13)
    at connect-streams.js:34:22
    at Array.forEach (<anonymous>)
    at HTMLIFrameElement.<anonymous> (connect-streams.js:33:22)
chromewebdata/:1 Refused to display 'https://<my-instance-id>.my.connect.aws/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

It takes a few seconds until the connect panel refreshes itself and re-initializes. You can see a quick example here of this behavior when signing back into connect. We've implemented the auth flow with Cognito as IDP as described in the video call escalation example.

Is there any way I could fix this in my implementation? Is there any url param to provide on login so that we don't have to wait for the connect instance's refresh?

[github-actions]

This issue is stale because it has been open for 90 days with no activity. Remove stale label or comment to keep this active.

[github-actions]

It has been a while and we are closing this for now. Please reopen if this is still an issue

[rabinthapa18]

Any news on this? Considering implementing SSO but a Log in/out option in the API/SDK/CLI in some form would be really useful.

Any update yet about login option using API or SDK?