OAuth - Error handling auth response. Error: invalid_grant #6041
Comments
kimfucious
added
the
to-be-reproduced
|
I've made an interesting discovery, which I'll share, but first a little background. This user pool serves both a web-app and a react-native app (Expo). There are actually three user pools for : dev, staging, and prod. This means that the callback and sign-out urls are mixed, like the below: dev: Callback URL(s): exp://192.168.1.116:19000/--/, https://localhost:3000/auth-callback
Sign out URL(s): exp://192.168.1.116:19000/--/, https://localhost:3000staging: Callback URL(s): exp://exp.host/@kimfucious/myapp-staging, https://staging.myapp.com/auth-callback
Sign out URL(s): exp://exp.host/@kimfucious/myapp-staging, https://staging.myapp.comproduction: Callback URL(s): myapp://, https://myapp.com/auth-callback
Sign out URL(s): myapp://, https://myapp.comMy reporting of this issue is based on the web-app's behavior in dev, at the moment. I do use a manual configuration of Amplify, so that the web app and react-native app only use the callback and sign-out urls that are pertinent to them, so in the web-app, this would look like this as part of a larger config (based on ...
oauth: {
domain: "myapp-dev.auth.[region].amazoncognito.com",
scope: [
"phone",
"email",
"openid",
"profile",
"aws.cognito.signin.user.admin"
],
redirectSignIn: "https://localhost:3000/auth-callback",
redirectSignOut: "https://localhost:3000",
responseType: "code"
},
...My discovery is that removing the exp urls from the dev user pool (via the UI or via Amplify CLI), like the below, will fix the strange behavior that I mentioned prior: dev: Callback URL(s): https://localhost:3000/auth-callback
Sign out URL(s): https://localhost:3000However; doing the above, unfortunately, breaks the RN app auth process. As an added quirk, the user pool currently (automatically) sorts the Sign in and sign out URLs, as I've raised here, so I can't simply re-order the URLs to get this to work. If this is not a bug, I'd sure like to know what I'm doing wrong here! 🌮 |
|
I'm also getting a similar issue – creating an initial user through Facebook works fine, but using the preSignUp script to link an existing user with a social account results in the |
|
@kimfucious
|
|
can you please share the |
|
Hey @kimfucious, as you have found and what we recommend to solve this use case is around the pre signup scripts. We do, in the Amplify CLI, have Lambda Triggers that you are able to configure against |
|
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
This is a weird one, but I've exhausted myself trying to get to the bottom of it, so I'm asking it here, thinking it is a bug, due to the very specific behaviour.
The behaviour is similar to #3185, but different, I think.
After the initial username/password user has been created, a user can sign in using
Auth.federatedSignIn({ provider: "SignInWithApple"});. It works smashingly! (even though I know it's not supported officially by Amplify yet).However, after the initial username/password user has been created, if the user tries to log in with Google, before attempting to sign in with Apple, via
Auth.federatedSignIn({ provider: "Google"});, an error is thrown when trying to do a post tohttps://myapp.auth.[region].amazoncognito.com/oauth2/token.The error message is:
OAuth - Error handling auth response. Error: invalid_grantWhat appears to happen is: the user is returned to the app via the user pool callbackUrl, at which point Hub receives this and says:
"Retrieving tokens from https://myapp.auth.[region].amazoncognito.com/oauth2/token"That's when the error is thrown. And since the error is thrown, the preSignup script is never called (so says CloudWatch), and the app is stuck in the water.
I understand this error means that one of the following has occurred:
For the record, I am not calling
Amplify.configure(awsconfig);twice anywhere. It's called once inindex.js.Now here's the weird part...
I can only sign in with Google after first signing in with Apple (after the initial username/password user is created, as mentioned prior).
In other words, after I create the initial username/password user, I can immediately (without ever signing in with username/password) sign in with Apple, but I can't with Google.
But after I sign in with Apple, I then can sign in with Google.
And I got no idea why 🤷
I realize this is weird and that you may need more info, so please ask for what you may need, and I'll be happy to share.
The text was updated successfully, but these errors were encountered: