Not able to get any OAuth or Custom Scopes in Access Token #3732
Comments
|
@hanslai Have you tried using Auth.federatedSignIn as described here? |
haverchuck
added
Auth
|
@haverchuck, I thought FederatedSignIn is for social provider only, but our App does not use any social providers, we are only use Cognito for now. Or I didn't understand this correctly? Is it possible for me to use FederatedSignIn without any social provider but Cognito user pool only? I understand that Cognito User Pool itself is a valid OAuth2/OIDC Identity Provider, so I was able to get the OAuth2 Scopes from the token endpoint. Yet, just not sure how to do it with Amplify. |
stale
bot
removed
the
pending-close-response-required
|
@hanslai - Apologies- I misread your question. I'll try to look into this further. |
|
@haverchuck any update on this? |
stale
bot
added
the
pending-close-response-required
|
@hanslai I believe that if you want to use OAuth, you would still call To do this basic OAuth flow, you would need to setup a Hosted UI domain and redirect / signout URLs, which the Amplify CLI can assist you with. |
stale
bot
removed
the
pending-close-response-required
haverchuck
added
the
pending-close-response-required
|
This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems. |
|
This is a fairly critical issue in my opinion because having the access token without scopes makes it unusable when accessing an API gateway which is secured by specifying scopes. The only options left to have a functional workflow are either to use the hosted UI (which is really limited in terms of customization) OR to use the identity token as a form authorization (which is an anti pattern) |
|
Please make this work! We need to be able to send the access token to our backend and call the userinfo endpoint there to get some information about the user. |
|
I´m having the same issue. I can´t get the custom scopes back using Amplify, I only get them back using the custom UI. |
|
Don't understand how this issue is closed when lot of people is requesting this feature!! |
|
Same problem here... How do I get custom scopes in access token? |
|
Given that you can request custom scopes when authenticating using the hosted UI via the Cognito User Pool (as opposed to Facebook), I expect authentication via the Amplify Authenticator React/VueJS component to support exactly the same feature. In both cases (hosted UI or Authenticator component), you are still using Cognito User Pool as an IdP and should be able to request your desired scopes. |
|
Any updates on this issue? I'm having the exact same problem |
|
I'm also unable to protect API gateway endpoints with the For example, (using serverless framework), I'm only able to check for functions:
protectedViaScope:
handler: src/protected.handler
events:
- http:
path: protected
method: post
cors: true
authorizer:
type: COGNITO_USER_POOLS
authorizerId:
Ref: ApiGatewayAuthorizer
scopes:
# Hack/workaround: only aws.cognito.signin.user.admin works =(
- aws.cognito.signin.user.admin
# 👇 wont work b/c scopes arent on the accessToken
# - users/delete
# - users/addHow are people working around this amplify/cognito limitation? Only using IAM roles? |
|
I think it is also true that not every user wants the admin scope
A regular user of an application does not need user admin rights on Cognito, probably just wants some sort of read/write access to parts of an application back-end. |
|
This is also an issue for us |
|
We are also impacted by this issue. Very similar use case to @DavidWells. We have protected a few different API Gateway endpoints using different custom scopes and the only scope we ever get back when using AmplifyJS is the |
|
We are also impacted by this issue. Can't write e2e integration tests because the token does not have the necessary scopes to hit api gateway. |
|
+1 on this being an issue for our team. Amplify is useless if we want custom login UI and use API Gateway with custom scopes. |
|
+1 also experiencing this issue |
|
Same here.. Is it possible to have any update on this? |
|
Hello @adambeer @panterozo - we do not have an update yet. We will provide an update when we have the next steps clear with Cognito. |
Thank you @abdallahshaban557 for letting us know this is a limitation with Cognito, and not Amplify. This is helpful when it comes to ultimately deciding if we want to use Amplify in our next project, and trying to find a workaround. Can I ask, is the limitation you mentioned anything to do with the large callout at the top of this page? https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html For ease, i'll paste it here
Emphasis mine, to clear up any confusion it means to use the AWS Hosted UI to handle Login, instead of using the User Pools API (Which is what I assume the Auth.SignUp and Auth.SignIn functions use under the hood). So I assume that is what you are talking about? |
|
@abdallahshaban557 Can you tell us why the Cognito team is not prioritizing such a crucial feature? |
|
@PeelyZenobe - yes, you are correct! @marcjulianfleck - they are working on enabling it ASAP. We apologize this has taken so long. |
Thank you for getting back to me so fast @abdallahshaban557, I really appreciate it. It's good to hear that the Cognito team are working on enabling it ASAP :) To free you up from being a constant go-between, is there an Cognito representative in this Issue thread? Or another Issue we can track the Cognito teams progress on? As you said, it's not an Amplify problem. |
|
@abdallahshaban557 Any luck this month? |
|
any update on this? It seems like aws is going down the drain, time to move to GCP. |
|
Hey that’s awesome to hear. Thanks a lot Chris.
…On Fri, Sep 22, 2023 at 1:06 PM Chris Womack ***@***.***> wrote:
Hey, @jamesh38 <https://github.com/jamesh38> and @shaktiks
<https://github.com/shaktiks> 👋. We can't announce an exact release date
just yet, but this feature is actively being worked on and planned for an
upcoming release. As soon as we can communicate an actual day it will be
available, we'll be sure to do so!
—
Reply to this email directly, view it on GitHub
<#3732 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA3OHUSBXCXPMN5IWIRX7F3X3XARRANCNFSM4IG2QWQQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
hey @cwomack thanks for looking into this |
|
Any update on this? Something I'm also running into unfortunately. I'm very close to choosing to migrate off of amplify and roll auth myself. |
Just to be clar, you don't need to "roll auth yourself". You can still just use Cognito without Amplify. Yes you can still only get the custom scopes if you use the Amazon Cognito provided Hosted UI (Which provides all of the Authentication journeys (Signup, Login, Password Reset and MFA) out of the box), but in my investigations it turns out that custom scopes aren't really needed that often, it's an anti-pattern to use them for User Permissions and you should be using another system to handle that. Machine-to-Machine stuff can use Cognito just fine to get customer scopes. |
|
Seems to have been fixed on Cognito User Pools: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/ |
|
I'm just confirming that it is now possible to add custom scopes to the access token generated using Amplify. We were able to get this working using the steps found on: The lambda function we used is taken from the example on that page: export const handler = function(event, context) {
event.response = {
"claimsAndScopeOverrideDetails": {
"accessTokenGeneration": {
"scopesToAdd": [
"openid",
],
"scopesToSuppress": [
"aws.cognito.signin.user.admin"
]
},
}
};
// Return to Amazon Cognito
context.done(null, event);
};Which generates the following access token: {
"sub": "xxxx",
"iss": "https://xxxx.amazonaws.com/xxxx",
"client_id": "xxxx",
"origin_jti": "xxxx",
"event_id": "xxxx",
"token_use": "access",
"scope": "openid",
"auth_time": 1705450802,
"exp": 1705451102,
"iat": 1705450802,
"jti": "xxxx",
"username": "xxxx"
} |
It requires to use Probably for most of us using scope |
|
I was quite pleased when I saw the announcement that is was possible to modify the But then like @sgasior I realized it requires opting into **This is a 809.09% price increase per user. ** 😭 Surely there is a way to enable the new We just need this one simple feature, not everything that is included in the 
|
|
My annoying work around is to use AWS SDK GetUserCommand when the user only has the |
|
Hello! Any status update on this? Is there any workaround? We just made big refactoring in backend to support custom scopes and after that we realised that our apps made with amplify wouldn't work with it anymore. This is frustrating situation. |
|
We gave up on Amplify/Cognito. We've tried on multiple occasions to find a way to make it viable with different projects and, ultimately, this is the main issue that keeps us from using it. This thread is 5 years old and still active yet I haven't seen any indication that the team has any plans of fixing this. Beyond that, they should not advertise this product as a feature-complete authentication service because it isn't. More and more teams are committing to using this product only to realize it doesn't do as advertised after the build out their applications to it. What a let down. |
They fixed it December last year https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/ @apekkar |
|
@Meags27 thanks for the link and clarification. Unfortunately, as @DavidWells mentioned in his comment, you must enable advanced security features in order to use this which drastically increases the cost and contains a lot of features we do not need. This decision means that this product will continue to not be viable for our team. |
|
Is there any update on this? the solution as mentioned by multiple users involves a crazy diference in cost per user which I find unaceptable and unviable, however I apreciate that at least there was something made about this issue however is far form the ideal solution |
|
Enabling advanced security features for this simple feature sounds crazy. I would appreciate it if the Cognito team could look at this request. |
and others
Which Category is your question related to?
Cognito, Oauth2/OIDC Access Token
What AWS Services are you utilizing?
Cognito User Pool
Provide additional details e.g. code snippets
Using either Auth.signIn or the Vue Authentication Components are not able to get any OAuth or Custom Scopes.
Sorry, I only have a image of the source my coworker sent me.
I also tested, I was able to get the OAuth scopes if I use the Token Endpoint in Postman
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
Or do we have to use https://github.com/aws/amazon-cognito-auth-js to get the scopes? But with Amplify I wonder do we still need to use this amazon-cognito-auth-js library? Actually, I am confused why there are two JS libraries for cognito.
both #1884 and #1370 have the same problem, which is not solved but closed. It has been almost a year on this issues already. Any update on this?
The text was updated successfully, but these errors were encountered: