-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing nonce when using AWS Cognito HostedUI #3129
Comments
Hi @PritamDutt, sorry you are facing this issue. This seems to be an issue in the identity broker implementation (awslabs/aws-amplify-identity-broker#127) since both the OpenID Connect specification and Cognito's own docs mandate the inclusion of a If we changed the implementation to accommodate the identity broker, we would potentially be lowering the security posture for Cognito users. I'm not sure how best to handle the situation, but I will bring it to the attention of my team to see what we can do. |
@dnys1 Really appreciate your commitment for ensuring implementation of OIDC specs, however considering the fact that there is no way (at least not in my knowledge) to pass on the incoming |
Understood, and thank you for all the info. I will keep you posted. |
Hi @PritamDutt, we are looking into removing the nonce check since it seems to mainly protect against replay attacks with the implict OAuth grant, which we don't support. I will keep you posted on the progress and have opened a PR here if you want to work with that in the meantime. |
Hi @PritamDutt, sorry for the long delay on this. The fix has been merged and will be released in the near future. |
@PritamDutt this has been fixed in Amplify Auth v1.3.1. Thanks for your patience resolving this issue. |
Description
As per the current release of the sdk, it is mandatory for presence of
nonce
in idToken (JWT) for authentication to go through, which is not possible if one has implemented AWS Cognito Hosted UI as per the following links:the usage of AWS SDK and AdminIntiateAuth/InitiateAuth does not allow the providing of a nonce as the per the issuance of the JWTs.
You can't modify the
nonce
claimMy suggestion would be to relax this requirement, by the means of may be some configurable flag till we have blessings of Cognito Team 🤓
Categories
Steps to Reproduce
Result: you get missing nonce error
Screenshots
No response
Platforms
Flutter Version
3.3.10
Amplify Flutter Version
1.1.0
Deployment Method
Amplify CLI
Schema
No response
The text was updated successfully, but these errors were encountered: