Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing nonce when using AWS Cognito HostedUI #3129

Closed
2 of 13 tasks
PritamDutt opened this issue Jun 1, 2023 · 6 comments
Closed
2 of 13 tasks

Missing nonce when using AWS Cognito HostedUI #3129

PritamDutt opened this issue Jun 1, 2023 · 6 comments
Assignees
@dnys1
Labels
auth Issues related to the Auth Category bug Something is not working; the issue has reproducible steps and has been reproduced pending-release Issues that have been addressed in main but have not been released

Comments

@PritamDutt
Copy link

Description

As per the current release of the sdk, it is mandatory for presence of nonce in idToken (JWT) for authentication to go through, which is not possible if one has implemented AWS Cognito Hosted UI as per the following links:

My suggestion would be to relax this requirement, by the means of may be some configurable flag till we have blessings of Cognito Team 🤓

Categories

  • Analytics
  • API (REST)
  • API (GraphQL)
  • Auth
  • Authenticator
  • DataStore
  • Storage

Steps to Reproduce

  1. Setup a Cognito user pool with custom hosted e.g. AWS Sample
  2. Create a user the pool
  3. Create a client id
  4. Setup flutter app
  5. Configure Flutter App to use the client id setup in Step 3. above AWS Sample
  6. Choose to login using hosted ui

Result: you get missing nonce error

Screenshots

No response

Platforms

  • iOS
  • Android
  • Web
  • macOS
  • Windows
  • Linux

Flutter Version

3.3.10

Amplify Flutter Version

1.1.0

Deployment Method

Amplify CLI

Schema

No response
@Equartey Equartey added auth Issues related to the Auth Category pending-triage This issue is in the backlog of issues to triage labels Jun 1, 2023
@dnys1
Copy link
Contributor

dnys1 commented Jun 1, 2023

Hi @PritamDutt, sorry you are facing this issue. This seems to be an issue in the identity broker implementation (awslabs/aws-amplify-identity-broker#127) since both the OpenID Connect specification and Cognito's own docs mandate the inclusion of a nonce value in the ID token when it's sent with the authorization request.

If we changed the implementation to accommodate the identity broker, we would potentially be lowering the security posture for Cognito users. I'm not sure how best to handle the situation, but I will bring it to the attention of my team to see what we can do.

@dnys1 dnys1 self-assigned this Jun 1, 2023
@dnys1 dnys1 mentioned this issue Jun 1, 2023
Closed
13 tasks
@dnys1 dnys1 added Investigating Issues that are assigned and are being looked into and removed pending-triage This issue is in the backlog of issues to triage labels Jun 1, 2023
@PritamDutt
Copy link
Author

@dnys1 Really appreciate your commitment for ensuring implementation of OIDC specs, however considering the fact that there is no way (at least not in my knowledge) to pass on the incoming nonce value in AdminInitiateAuth / InitiateAuth ops being performed in custom /oauth2/authorize lambda function, I think there is need to make room for this limitation imposed by AWS's own SDK.

@dnys1
Copy link
Contributor

dnys1 commented Jun 2, 2023

Understood, and thank you for all the info. I will keep you posted.

@dnys1
Copy link
Contributor

dnys1 commented Jun 28, 2023

Hi @PritamDutt, we are looking into removing the nonce check since it seems to mainly protect against replay attacks with the implict OAuth grant, which we don't support. I will keep you posted on the progress and have opened a PR here if you want to work with that in the meantime.

@dnys1 dnys1 added bug Something is not working; the issue has reproducible steps and has been reproduced and removed Investigating Issues that are assigned and are being looked into labels Jun 28, 2023
@dnys1 dnys1 added the pending-release Issues that have been addressed in main but have not been released label Aug 2, 2023
@dnys1
Copy link
Contributor

dnys1 commented Aug 2, 2023

Hi @PritamDutt, sorry for the long delay on this. The fix has been merged and will be released in the near future.

@dnys1
Copy link
Contributor

dnys1 commented Aug 7, 2023

@PritamDutt this has been fixed in Amplify Auth v1.3.1. Thanks for your patience resolving this issue.

@dnys1 dnys1 closed this as completed Aug 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dnys1 dnys1

Labels
auth Issues related to the Auth Category bug Something is not working; the issue has reproducible steps and has been reproduced pending-release Issues that have been addressed in main but have not been released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Equartey @dnys1 @PritamDutt