-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Having ?code= on the query string seems to always be caught by some Cognito code #9208
Comments
@PeteDuncanson thanks for bringing this up. We will get on triaging this. While we do that, I just wanted to make a callout, the reason we might be looking for |
Having the same issue with gsuite auth enabled. This is a regression of a previous issue that was fixed, can't find it currently but will add if i do. |
Having the same issue with bitbucket oauth. I downgraded to latest-3 in the meantime. Hopefully this is fixed soon. |
@thejuan @kieran-bellew When did u start seeing the issue ? Could you point what upgrade triggered this? |
@ashika01 (I'm working with @kieran-bellew) we first saw it after upgrading |
@colehendo Thank you for the info. Let me look into it and get back to you. Have you tried any version 4.x.x to see if it works? |
Also, @colehendo if u have a sample running out in github, point it out here. Helps speed up debugging :) |
@ashika01 I don't have the code in github, but I can describe our process. We have a component on our site which requires Bitbucket authentication to access. The user clicks on the link in our site (built using Angular), and get rerouted to That url then automatically routes them back to |
@PeteDuncanson I am trying to reproduce the issue, I would like to share somethings I found so far:
|
Potentially related to #8166, but overall this working code flow needs careful thinking as we also need to support react native use case. Will do more study on this. |
Hello @hkjpotato any news about this issue ? |
Hello, Any news on this? For now I would tackle the error and try to solve it. |
hey, any updates on this? |
Still broken on |
We got the same issue with the lastest version. Anyone can help to merge this PR? Thanks |
It's worth mentioning that this issue causes problems for apps that use Cognito and SMART on FHIR together. e.g. the library https://github.com/smart-on-fhir/client-js, which relies heavily on the code parameter. I believe this to be the commit that causes the issue: |
I'm facing the same problem, any news on where this #9370 will be merge? |
Just sent a followup to the PR creator to see if they can make updates based on recommendations from our team. |
Same problem here. Since cognito doesn't allow me to choose the scopes from Google, I ended up scrapping third party auth altogether. However, once you are in the app, there is the option to "sync your calendar". The Google auth workflow returns the code keyword and cognito picks it up, despite the fact I don't have third party auth enabled. |
@abdallahshaban557 How long to wait before it's safe to assume the original PR creator will not see it through? It's a pretty serious issue, is there someone on the core team that can start the ball rolling again? This bug has been in affect for more than a year now.. (since this commit d4f8fe6) |
Hi @timharsch - I am asking our team to check what needs to be done to fix this further. We will get back to you when we have more information. FYI @nadetastic @tannerabread @cwomack |
it is a kinda big deal for us, how to prevent Cognito from changing URLs that have a |
For reference, this is the commit responsible for the issue. d4f8fe6 I tried raising this issue with our AWS account manager, who had a solutions architect try to get the status from the core team. I was told that the response was that the issue is slated to be fixed in V6 release. I don't put a lot of faith in that response though because I also asked that someone from the team update this issue with a milestone label, and update the community. |
Hi @timharsch - we have this issue high on our tracking list for v6, we understand the change needed, but do not want to break existing customers. We will update this issue when we have an ETA on our release! We are taking the concerns of our community to heart on resolving this pain! Please let us know if you have any further questions/concerns. |
Here is my work around in the meanwhile. /**
* This is a hack to fix the issue with the Amplify library treating all incoming urls as OAuth responses.
* https://github.com/aws-amplify/amplify-js/issues/9208#issuecomment-1309890756*
*/
// @ts-ignore
const _handleAuthResponse = Auth._handleAuthResponse.bind(Auth);
// @ts-ignore
Auth._handleAuthResponse = (url: string) => {
const configuration = Auth.configure();
// @ts-ignore
if (!url.includes(configuration.oauth?.redirectSignIn)) return;
return _handleAuthResponse(url);
};
Amplify.configure(awsExports); |
Any updates on this? This is still a pretty big issue. Also, FYI, if you're using the workaround proposed by @alexkates, the latest version it works on is 5.3.6, afterwards Auth.ts seems to have been completely refactor so it doesn't work. |
I'm still on version 5.0.24 |
The developer preview for v6 of Amplify has officially been released with improvements Authentication and much more! Please check out our announcement and updated documentation to see what has changed. This issue should be resolved within the dev preview and upcoming General Availability for Amplify v6, but let us know with a comment if there are further issues. Please note that the method has changed from |
For those following, I'd recommend checking the upgrade docs https://docs.amplify.aws/javascript/build-a-backend/troubleshooting/migrate-from-javascript-v5-to-v6/ |
I have migrated to v6 and this bug is still happening. |
HI @Bar-Security do you mind opening a new issue with details and context so I may be able to better assist you? |
Our team has found that upgrading to v6 is a non-trivial task for us. We first need to make our whole app webpack 5 compatible before we can use v6, since v6 now has a dependency on webpack 5 ( Line 119 in b092100
|
Issue already closed but fix still not released. Why? |
@nadetastic please reopen the issue. The problem persists.. |
Reopening this issue as we investigate this further on both v5 and v6. |
Hi @timharsch, cc @Bar-Security We are still unable to reproduce this issue with v6 of
Since you are still seeing this issue with v6, do you mind opening a new issue with additional context and reproduction steps in order to better assist you? |
I could also reproduce the behaviour mentioned by @Bar-Security and have opened a fresh issue as suggested by @nadetastic with more details: #13096 |
Hi @timharsch, "webpack": "^5.75.0" is a devDependency in V6. Could you please elaborate more on the blocker you're facing |
For our app, we have other packages that would not be happy if we try to change the webpack version, which, currently is preventing us from upgrading to v6 of Amplify. Right now, my dev that needs to upgrade us to v6 has been on other critical tasks, I'm hoping to get some his time for this in next couple of weeks. We did not try nate's test sequence unfortunately, because we are not on v6, but looking at those steps I'm not sure how they could validate that it works. What good would it do to add /code=1234 manually after the redirect? It's in the redirect process that the param is dropped isn't it? Do you have an automated test that could validate the expectations? |
V5 supports a global urlListener where, when oauth is configured and the url contains To test this flow in V5
This reason this was designed in this manner was to support:
However V6 architecture is different, it does not contain a global urlListener and hence this issue does not exist |
Before opening, please confirm:
JavaScript Framework
React
Amplify APIs
Authentication
Amplify Categories
auth
Environment information
Describe the bug
This is an odd one.
We had a callback that we needed for Xero (3rd party accountancy software) authentication which wants to send us a code on the querystring such as
/mycallbackurl/?code=123454&secret=56789
Trouble is our App would always redirect to the root url and our code to handle the callback would never fire! After some testing we found that its just the querystring name of "code" that is causing the issue. We suspect that our Cognito Authentication is being too eager and hoovering up anything with "code" in the querystring regardless of the url structure.
To work around it and prove the point I added this to the top of my index.js in the root of the App before anything else can run:
Its not pretty, but it renames the code querystring param to something else if we know its for Xero. Then in our xero callback handling code we look for the new value. This now works! But its damn weird and something we thought would catch out others. I'll include our UserProvider at the bottom so you can see how we are using it for the Authentication if it helps. The above code though is the only bit of "quirky" stuff we have in there.
Expected behavior
I'd have thought that the Cognito code would only kick in on whatever callback url it wants to you (yes this could even be the root url) rather than on everything. Seems a bit too much of a over-reach of the querystring for me.
Reproduction steps
This is hard to unpick, if you have an authed site already then you could wrap our UserProvider around it and see if you can get that running.
Then navigate to a sub folder (ie /myfolder/) and try adding
?code=1234
to the end. The site should redirect/reload at the root url and your querystring will have disappeared. Yet if you go back to the same folder but add?code2=1234
to the end it won't redirect and will instead just render and leave the querystring on the url.Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response
The text was updated successfully, but these errors were encountered: