Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not able to get any OAuth or Custom Scopes in Access Token #3732

Open
hanslai opened this issue Jul 25, 2019 · 113 comments
Open

Not able to get any OAuth or Custom Scopes in Access Token #3732

hanslai opened this issue Jul 25, 2019 · 113 comments
Assignees
Labels
Auth Related to Auth components/category Cognito Related to cognito issues feature-request Request a new feature pending-maintainer-response Issue is pending a response from the Amplify team. Service Team Issues asked to the Service Team

Comments

@hanslai
Copy link

hanslai commented Jul 25, 2019

Which Category is your question related to?
Cognito, Oauth2/OIDC Access Token

What AWS Services are you utilizing?
Cognito User Pool

Provide additional details e.g. code snippets
Using either Auth.signIn or the Vue Authentication Components are not able to get any OAuth or Custom Scopes.
oidc+scope

Sorry, I only have a image of the source my coworker sent me.
Amplify+JS

I also tested, I was able to get the OAuth scopes if I use the Token Endpoint in Postman
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

Or do we have to use https://github.com/aws/amazon-cognito-auth-js to get the scopes? But with Amplify I wonder do we still need to use this amazon-cognito-auth-js library? Actually, I am confused why there are two JS libraries for cognito.

both #1884 and #1370 have the same problem, which is not solved but closed. It has been almost a year on this issues already. Any update on this?

@haverchuck
Copy link
Contributor

haverchuck commented Jul 25, 2019

@hanslai Have you tried using Auth.federatedSignIn as described here?

@haverchuck haverchuck added Auth Related to Auth components/category pending-close-response-required labels Jul 25, 2019
@hanslai
Copy link
Author

hanslai commented Jul 26, 2019

@haverchuck, I thought FederatedSignIn is for social provider only, but our App does not use any social providers, we are only use Cognito for now. Or I didn't understand this correctly? Is it possible for me to use FederatedSignIn without any social provider but Cognito user pool only?

I understand that Cognito User Pool itself is a valid OAuth2/OIDC Identity Provider, so I was able to get the OAuth2 Scopes from the token endpoint. Yet, just not sure how to do it with Amplify.

@haverchuck
Copy link
Contributor

@hanslai - Apologies- I misread your question. I'll try to look into this further.

@hanslai
Copy link
Author

hanslai commented Aug 2, 2019

@haverchuck any update on this?

@haverchuck
Copy link
Contributor

@hanslai I believe that if you want to use OAuth, you would still call federatedSignIn() in order to open the Hosted UI. The social provider piece would come into play only if you setup third party providers in the User Pool or passed a provider value into the function. Simply calling federatedSignIn() without any parameters would open up Hosted UI with a basic Cognito-backed login screen. This would enable you to authenticate the user with the userpool without handling their username/password directly in your application, which is one of the primary purposes of OAuth. Using the signin component, on the other hand, means that you are handling these credentials yourself.

To do this basic OAuth flow, you would need to setup a Hosted UI domain and redirect / signout URLs, which the Amplify CLI can assist you with.

@stale
Copy link

stale bot commented Sep 13, 2019

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

@stale stale bot closed this as completed Sep 13, 2019
@adryanf
Copy link

adryanf commented Oct 16, 2019

This is a fairly critical issue in my opinion because having the access token without scopes makes it unusable when accessing an API gateway which is secured by specifying scopes. The only options left to have a functional workflow are either to use the hosted UI (which is really limited in terms of customization) OR to use the identity token as a form authorization (which is an anti pattern)

@dominiktopp
Copy link

Please make this work!
We switched from Cognito Hosted UI to Amplify because of the very limited configuration options of Cognito. Now we are stuck because as @adryanf said, passing the id_token to our resource server (our backend) is an anti pattern.

We need to be able to send the access token to our backend and call the userinfo endpoint there to get some information about the user.

@vgaltes
Copy link

vgaltes commented Oct 30, 2019

I´m having the same issue. I can´t get the custom scopes back using Amplify, I only get them back using the custom UI.

@pmargom
Copy link

pmargom commented Nov 27, 2019

Don't understand how this issue is closed when lot of people is requesting this feature!!

@sandeepsdixit
Copy link

Same problem here... How do I get custom scopes in access token?

@JohnTheGray
Copy link

Given that you can request custom scopes when authenticating using the hosted UI via the Cognito User Pool (as opposed to Facebook), I expect authentication via the Amplify Authenticator React/VueJS component to support exactly the same feature. In both cases (hosted UI or Authenticator component), you are still using Cognito User Pool as an IdP and should be able to request your desired scopes.

@shukii
Copy link

shukii commented Mar 13, 2020

Any updates on this issue? I'm having the exact same problem

@DavidWells
Copy link

I'm also unable to protect API gateway endpoints with the scope only set to aws.cognito.signin.user.admin

For example, (using serverless framework), I'm only able to check for aws.cognito.signin.user.admin & not real scopes like user/add, user/delete etc.

functions:
  protectedViaScope:
    handler: src/protected.handler
    events:
      - http:
          path: protected
          method: post
          cors: true
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId:
              Ref: ApiGatewayAuthorizer
            scopes:
              # Hack/workaround: only aws.cognito.signin.user.admin works =( 
              - aws.cognito.signin.user.admin
              # 👇 wont work b/c scopes arent on the accessToken 
              # - users/delete
              # - users/add

How are people working around this amplify/cognito limitation? Only using IAM roles?

@rupertlssmith
Copy link

I think it is also true that not every user wants the admin scope

aws.cognito.signin.user.admin

A regular user of an application does not need user admin rights on Cognito, probably just wants some sort of read/write access to parts of an application back-end.

@tamirrrdorrron
Copy link

This is also an issue for us

@LionelB5
Copy link

We are also impacted by this issue.

Very similar use case to @DavidWells. We have protected a few different API Gateway endpoints using different custom scopes and the only scope we ever get back when using AmplifyJS is the aws.cognito.signin.user.admin scope.

@rubene
Copy link

rubene commented Apr 27, 2020

We are also impacted by this issue. Can't write e2e integration tests because the token does not have the necessary scopes to hit api gateway.

@ddbradshaw
Copy link

+1 on this being an issue for our team.

Amplify is useless if we want custom login UI and use API Gateway with custom scopes.

@chrismillah
Copy link

+1 also experiencing this issue

@shaktiks
Copy link

any update on this? It seems like aws is going down the drain, time to move to GCP.

@cwomack
Copy link
Member

cwomack commented Sep 22, 2023

Hey, @jamesh38 and @shaktiks 👋. We can't announce an exact release date just yet, but this feature is actively being worked on and planned for an upcoming release. As soon as we can communicate an actual day it will be available, we'll be sure to do so!

@jamesh38
Copy link

jamesh38 commented Sep 22, 2023 via email

@Ataraxia009
Copy link

hey @cwomack thanks for looking into this
Just want to confirm ->
the new new release will also allow custom scopes to be sent in the access token for CUSTOM_AUTH flows right?
Specifically I am using the lambda trigger auth challenges and the defineAuthChallenge lambda trigger.
The response is quite limited in what to feed the access token.

@danfhernandez
Copy link

Any update on this? Something I'm also running into unfortunately. I'm very close to choosing to migrate off of amplify and roll auth myself.

@PeelyZenobe
Copy link

Any update on this? Something I'm also running into unfortunately. I'm very close to choosing to migrate off of amplify and roll auth myself.

Just to be clar, you don't need to "roll auth yourself". You can still just use Cognito without Amplify. Yes you can still only get the custom scopes if you use the Amazon Cognito provided Hosted UI (Which provides all of the Authentication journeys (Signup, Login, Password Reset and MFA) out of the box), but in my investigations it turns out that custom scopes aren't really needed that often, it's an anti-pattern to use them for User Permissions and you should be using another system to handle that. Machine-to-Machine stuff can use Cognito just fine to get customer scopes.

@rupertlssmith
Copy link

Seems to have been fixed on Cognito User Pools: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/

@lobaak
Copy link

lobaak commented Jan 17, 2024

I'm just confirming that it is now possible to add custom scopes to the access token generated using Amplify. We were able to get this working using the steps found on:

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#user-pool-lambda-pre-token-generation-accesstoken

The lambda function we used is taken from the example on that page:

export const handler = function(event, context) {
  event.response = {
    "claimsAndScopeOverrideDetails": {
      "accessTokenGeneration": {
        "scopesToAdd": [
          "openid",
        ],
        "scopesToSuppress": [
          "aws.cognito.signin.user.admin"
        ]
      },
    }
  };
  // Return to Amazon Cognito
  context.done(null, event);
};

Which generates the following access token:

{
  "sub": "xxxx",
  "iss": "https://xxxx.amazonaws.com/xxxx",
  "client_id": "xxxx",
  "origin_jti": "xxxx",
  "event_id": "xxxx",
  "token_use": "access",
  "scope": "openid",
  "auth_time": 1705450802,
  "exp": 1705451102,
  "iat": 1705450802,
  "jti": "xxxx",
  "username": "xxxx"
}

@sgasior
Copy link

sgasior commented Jan 25, 2024

I'm just confirming that it is now possible to add custom scopes to the access token generated using Amplify. We were able to get this working using the steps found on:

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#user-pool-lambda-pre-token-generation-accesstoken

The lambda function we used is taken from the example on that page:

export const handler = function(event, context) {
  event.response = {
    "claimsAndScopeOverrideDetails": {
      "accessTokenGeneration": {
        "scopesToAdd": [
          "openid",
        ],
        "scopesToSuppress": [
          "aws.cognito.signin.user.admin"
        ]
      },
    }
  };
  // Return to Amazon Cognito
  context.done(null, event);
};

Which generates the following access token:

{
  "sub": "xxxx",
  "iss": "https://xxxx.amazonaws.com/xxxx",
  "client_id": "xxxx",
  "origin_jti": "xxxx",
  "event_id": "xxxx",
  "token_use": "access",
  "scope": "openid",
  "auth_time": 1705450802,
  "exp": 1705451102,
  "iat": 1705450802,
  "jti": "xxxx",
  "username": "xxxx"
}

It requires to use Advanced security features and this is very expensive feature as I know...(0.05$).

Probably for most of us using scope aws.cognito.signin.user.admin is still option 1 because of costs..

@DavidWells
Copy link

I was quite pleased when I saw the announcement that is was possible to modify the access token via a lambda function. https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/

But then like @sgasior I realized it requires opting into Advanced security features. For access token customization you must enable "AdvancedSecurityMode" which blows up the cost of MAU to 0.05 per user from 0.0055 per user.

**This is a 809.09% price increase per user. ** 😭

Surely there is a way to enable the new Pre token generation Lambda trigger to the V2_0 signature without this incredible increase in cost.

We just need this one simple feature, not everything that is included in the Advanced security features offering.

image

@johnpwrs
Copy link

johnpwrs commented Mar 5, 2024

My annoying work around is to use AWS SDK GetUserCommand when the user only has the aws.cognito.signin.user.admin scope, and to use the oauth userinfo endpoint otherwise. Users logging in with social have the scopes needed for the userinfo endpoint, and users who did a direct signup, logging in with the custom sign-in form, do not.

@apekkar
Copy link

apekkar commented Mar 19, 2024

Hello! Any status update on this? Is there any workaround?

We just made big refactoring in backend to support custom scopes and after that we realised that our apps made with amplify wouldn't work with it anymore. This is frustrating situation.

@hheavener-kyd
Copy link

We gave up on Amplify/Cognito. We've tried on multiple occasions to find a way to make it viable with different projects and, ultimately, this is the main issue that keeps us from using it. This thread is 5 years old and still active yet I haven't seen any indication that the team has any plans of fixing this.

Beyond that, they should not advertise this product as a feature-complete authentication service because it isn't. More and more teams are committing to using this product only to realize it doesn't do as advertised after the build out their applications to it. What a let down.

@Meags27
Copy link

Meags27 commented Mar 22, 2024

We gave up on Amplify/Cognito. We've tried on multiple occasions to find a way to make it viable with different projects and, ultimately, this is the main issue that keeps us from using it. This thread is 5 years old and still active yet I haven't seen any indication that the team has any plans of fixing this.

Beyond that, they should not advertise this product as a feature-complete authentication service because it isn't. More and more teams are committing to using this product only to realize it doesn't do as advertised after the build out their applications to it. What a let down.

They fixed it December last year https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/ @apekkar

@hheavener-kyd
Copy link

@Meags27 thanks for the link and clarification. Unfortunately, as @DavidWells mentioned in his comment, you must enable advanced security features in order to use this which drastically increases the cost and contains a lot of features we do not need. This decision means that this product will continue to not be viable for our team.

@nadetastic nadetastic removed their assignment Mar 29, 2024
@ChristianSMcode
Copy link

Is there any update on this? the solution as mentioned by multiple users involves a crazy diference in cost per user which I find unaceptable and unviable, however I apreciate that at least there was something made about this issue however is far form the ideal solution

@josefaidt josefaidt assigned josefaidt and unassigned cwomack Apr 12, 2024
@cs17
Copy link

cs17 commented May 8, 2024

Enabling advanced security features for this simple feature sounds crazy. I would appreciate it if the Cognito team could look at this request.

@alexkates
Copy link

We're in the same boat. After reading this, we are landing where many of you have already. The markup per MAU is way too expensive to justify access token customization.

What's funny is I don't even want customization. I want the scopes that are setup on the user pool app client to simply be on the access token. That's not customization, that feels more like "the way it should work".

For now we are choosing to not use authorization scopes until we can move away from the Amplify JS libraries.

@tomas-phillips-95
Copy link

Any update here? It's insane that this still continues to be an issue.

@github-actions github-actions bot added the pending-maintainer-response Issue is pending a response from the Amplify team. label Sep 23, 2024
@arthurgurov
Copy link

One day you decide to become a certified AWS expert... you spend a lot of time and money to achieve that. Once certified, you share your joy with all your friends and clients. You dream about modern cloud solutions with super cool architectures. You think you know everything needed to build a cool solution, not only because of fancy marketing words - you think you know this platform.

And then... then you see such sh## like this... when a super obvious thing is not working and no one plans to fix it (only 3 years passed from the initial post). I was really disappointed when I noticed almost zero customization of the hosted UI. But this... this is just ridiculous.

Now I'm at a point where I regret the decision to use Cognito because it's a real blocker for us. I have to step back and re-architect the system to use a more bullet-proof solution than Cognito.

So... 2 years have passed, and we still need an adequate solution (the new bill multiplier feature is not an option). The good thing is that I have this thread pinned, and now I can make the right decision not to use Cognito at the beginning of the new project :D

@adrian1chia
Copy link

adrian1chia commented Oct 22, 2024

This is really bullshit coming from AWS. This is just an example of a simple thing that never can be done right. I am also stuck now thinking what to do next. In the pre trigger lambda, it is defining its own custom scopes and bypassing the Resource Server?

@kaleb-itm
Copy link

First i had issues with Cognito requiring saml 2.0 redirect binding and the idp i need to add only supports POST
Now the access token does not have the required info to be able to easily get the users email address (how we id users)
I gave up and im now just using the Id Token.

Next time im just going to use keycloak

@josephharkins
Copy link

It looks like they have gotten their act together and sorted this, new better pricing tiers, access tokens incl.

https://aws.amazon.com/cognito/pricing/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Auth Related to Auth components/category Cognito Related to cognito issues feature-request Request a new feature pending-maintainer-response Issue is pending a response from the Amplify team. Service Team Issues asked to the Service Team
Projects
None yet
Development

No branches or pull requests