Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initiating auth in a Canary returns no data #2352

Closed
tweaver1 opened this issue May 5, 2021 · 3 comments
Closed

Initiating auth in a Canary returns no data #2352

tweaver1 opened this issue May 5, 2021 · 3 comments
Labels
bug This issue is a bug. closed-for-staleness needs-triage This issue or PR still needs to be triaged. response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.

Comments

@tweaver1
Copy link

tweaver1 commented May 5, 2021
edited

Hi. I am attempting to use the v3 CognitoIdentityProviderClient to initiate an auth session using the USER_PASSWORD_AUTH
flow. I am able to successfully run that code in my local environment as well as in lambdas, obtaining a response object with
the expected AuthenticationResult property. However, when I attempt to execute the same code as part of a new Canary
that I've written, the response includes only the $metadata property and none of the expected data such as the
AuthenticationResult property. Oddly, the $metadata appears to indicate that the Cognito call succeeded (httpStatusCode: 200).
Also, strangely enough, if I convert the version 3 SDK code to use the equivalent calls in the version 2 SDK, the code works
and the response contains the expected properties, even in the Canary. Here is some basic code that appears to replicate the issue:

import { InitiateAuthCommand, CognitoIdentityProviderClient } from '@aws-sdk/client-cognito-identity-provider';

const handler = async (event) => {
    const cognitoIdentityProviderClient = new CognitoIdentityProviderClient({
        region: 'us-east-1'
    });

    const initiateAuthResult = await cognitoIdentityProviderClient.send(new InitiateAuthCommand({
        AuthFlow: 'USER_PASSWORD_AUTH',
        AuthParameters: {
            USERNAME: 'HIDDEN_DUE_TO_SECURITY_REASONS',
            PASSWORD: 'HIDDEN_DUE_TO_SECURITY_REASONS'
        },
        ClientId: 'HIDDEN_DUE_TO_SECURITY_REASONS'
    }));

    console.log('initiateAuthResult = ', initiateAuthResult);
};

exports.handler = handler;

And here is the equivalent SDK v2 code that does seem to work:

import AWS from 'aws-sdk';

const handler = async (event) => {
    AWS.config.update({
        region: 'us-east-1'
    });

    const cognitoIdentityServiceProvider = new AWS.CognitoIdentityServiceProvider();
    
    const initiateAuthResult = await cognitoIdentityServiceProvider.initiateAuth({
        AuthFlow: 'USER_PASSWORD_AUTH',
        AuthParameters: {
            USERNAME: 'HIDDEN_DUE_TO_SECURITY_REASONS',
            PASSWORD: 'HIDDEN_DUE_TO_SECURITY_REASONS'
        },
        ClientId: 'HIDDEN_DUE_TO_SECURITY_REASONS'
    }).promise();

    console.log('initiateAuthResult = ', initiateAuthResult);
};

exports.handler = handler;

The result from console.log() call in the SDK v3 code:

2021-05-05T00:51:05.910Z	1200bb97-7e3f-4c50-be84-30a1053e764c	INFO	initiateAuthResult =  {
  '$metadata': {
    httpStatusCode: 200,
    requestId: '4d85f73f-87e3-4044-a2f1-d3d9349d2c44',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  AuthenticationResult: undefined,
  ChallengeName: undefined,
  ChallengeParameters: undefined,
  Session: undefined
}

The result from console.log() call in the SDK v2 code:

2021-05-04T21:55:22.398Z	ec7a8d59-e5ed-4adc-891d-07356fb5fb9d	INFO	initiateAuthResult =  {
  ChallengeParameters: {},
  AuthenticationResult: {
    AccessToken: 'HIDDEN_DUE_TO_SECURITY_REASONS',
    ExpiresIn: 3600,
    TokenType: 'Bearer',
    RefreshToken: 'HIDDEN_DUE_TO_SECURITY_REASONS',
    IdToken: 'HIDDEN_DUE_TO_SECURITY_REASONS'
  }
}

Another bit of information is that I was able to locate the Cognito invocation for the v3 call in the Cloudtrail event logs. It appears to contain the authenticationResult information as expected:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "Anonymous"
    },
    "eventTime": "2021-05-05T00:51:05Z",
    "eventSource": "cognito-idp.amazonaws.com",
    "eventName": "InitiateAuth",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "18.207.108.46",
    "userAgent": "aws-sdk-js/3.14.0 os/linux/4.14.225-175.364.amzn2.x86_64 lang/js md/nodejs/12.22.1 api/cognito_identity_provider/3.14.0 exec-env/AWS_Lambda_nodejs12.x",
    "requestParameters": {
        "authParameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "clientId": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "authFlow": "USER_PASSWORD_AUTH"
    },
    "responseElements": {
        "authenticationResult": {
            "tokenType": "Bearer",
            "refreshToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "accessToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "idToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
            "expiresIn": 3600
        },
        "challengeParameters": {}
    },
    "additionalEventData": {
        "sub": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "requestID": "4d85f73f-87e3-4044-a2f1-d3d9349d2c44",
    "eventID": "c0875bf4-0926-4765-9f62-b428b2bf034c",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management",
    "recipientAccountId": "745229826602"
}

So, it appears that the contents of the response are somehow being removed somewhere between Cognito and the Canary in the v3 call. The Canary I'm using is running using the syn-nodejs-puppeteer-3.1 runtime.
@ajredniwja ajredniwja added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 19, 2021
@ajredniwja ajredniwja added this to In progress in Investigation Jun 10, 2021
@ajredniwja
Copy link
Member

Hey @tweaver1 thanks for opening this issue, can you please give more details about your canary, I am not able to reproduce this in my local environment as well.

@ajredniwja ajredniwja added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Jun 18, 2021
@github-actions
Copy link

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jun 26, 2021
@ajredniwja ajredniwja moved this from In progress to Done in Investigation Jun 30, 2021
@ajredniwja ajredniwja removed this from Done in Investigation Jul 8, 2021
@github-actions
Copy link

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug This issue is a bug. closed-for-staleness needs-triage This issue or PR still needs to be triaged. response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tweaver1 @ajredniwja