-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth - Error handling auth response. Error: invalid_grant for Federated Google Login after deleting account #6172
Comments
Having the same error with "@aws-amplify/auth": "^3.2.4", but with an External OIDC Provider |
Facing the same error with "aws-amplify": "3.0.19" and Azure AD SAML authentication |
@Jun711 I follow the same steps as you mention and I couldnt reproduce when I was deleting the linked account on Cognito console. I used this Pre SignUp trigger code for linking the account var CognitoIdentityServiceProvider = require('aws-sdk/clients/cognitoidentityserviceprovider');
const cognitoIdp = new CognitoIdentityServiceProvider()
const getUserByEmail = async (userPoolId, email) => {
const params = {
UserPoolId: userPoolId,
Filter: `email = "${email}"`
}
return cognitoIdp.listUsers(params).promise()
}
const linkProviderToUser = async (username, userPoolId, providerName, providerUserId) => {
const params = {
DestinationUser: {
ProviderAttributeValue: username,
ProviderName: 'Cognito'
},
SourceUser: {
ProviderAttributeName: 'Cognito_Subject',
ProviderAttributeValue: providerUserId,
ProviderName: providerName
},
UserPoolId: userPoolId
}
const result = await (new Promise((resolve, reject) => {
cognitoIdp.adminLinkProviderForUser(params, (err, data) => {
if (err) {
reject(err)
return
}
resolve(data)
})
}))
return result
}
exports.handler = async (event, context, callback) => {
if (event.triggerSource === 'PreSignUp_ExternalProvider') {
const userRs = await getUserByEmail(event.userPoolId, event.request.userAttributes.email)
if (userRs && userRs.Users.length > 0) {
const [ providerName, providerUserId ] = event.userName.split('_') // event userName example: "Facebook_12324325436"
await linkProviderToUser(userRs.Users[0].Username, event.userPoolId, providerName, providerUserId)
} else {
console.log('user not found, skip.')
}
}
return callback(null, event)
} Can you share the steps you are doing for linking the account and deleting the linked account? |
This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems. |
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
Describe the bug
A clear and concise description of what the bug is.
After deleting a google EXTERNAL_PROVIDER account, within the next hour, if I create a Cognito account using the same gmail and link them, I cannot use
Auth.federatedSignIn({provider: 'Google'})
to log in again and the error isError: invalid_grant
.It would work fine without first deleting a google EXTERNAL_PROVIDER account.
Note that I am able to login with Google and link account in backend. This error only happens when a google EXTERNAL_PROVIDER account is deleted and recreated within an hour.
It seems to be caused by token not reset in Cognito.
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
I have checked #3185 Mine doesn't have 2 token requests
I have checked #6041 but steps to reproduce are different as mine has deleting account step.
I have checked #5829 It seems to be the same issue as #3185
It could be related to #4720
To Reproduce
Steps to reproduce the behavior:
login with google (an account with EXTERNAL_PROVIDER status would appear in the user pool).
Note that there is no Cognito account with the same gmail in the user pool.
delete this EXTERNAL_PROVIDER account using the following code
sign up for a Cognito account using the same gmail (an account with UNCONFIRMED status would appear in the user pool)
login with google again using the same gmail (step 1). This time EXTERNAL_PROVIDER account would be linked with the cognito account that has the same email.
Token endpoint
https://my-domain/oauth2/token
would fail withOAuth - Error handling auth response. Error: invalid_grant
error.Expected behavior
1 Token for Login with Google is reset after deleting an EXTERNAL_PROVIDER account.
2 Login with Google can login successfully after deleting an EXTERNAL_PROVIDER account.
Code Snippet
login with Google
delete account
What is Configured?
I was using "aws-amplify": "^3.0.9" when I first tested. I have updated it to 3.0.18 but I got the same error.
manual configuration:
Environment
"aws-amplify": "^3.0.18"
"@aws-amplify/auth": "^3.2.13"
You can turn on the debug mode to provide more info for us by setting window.LOG_LEVEL = 'DEBUG'; in your app.
The text was updated successfully, but these errors were encountered: