Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Credentials._setCredentialsFromSession generates invalid provider name
See original GitHub issueCredentials._setCredentialsFromSession generates invalid provider name when identity and user pools are on different regions
To Reproduce:
- Have Cognito user and identity pools in different regions
- Log in with amplify-js client
- Observe the failing
https://cognito-identity.REGION.amazonaws.com/call- Request body has a provider name of form
cognito-idp.eu-west-1.amazonaws.com/eu-central-1_XXXXXXXXXinLoginsstructure (note the conflicting regions) - Response:
NotAuthorizedException: Invalid login token. Issuer doesn't match providerName
- Request body has a provider name of form
Expected behavior
The regions in the provider name should be consistent with the region of the user pool that issued the id token, to successfully produce federated credentials.
Code Snippet
Provider name is constructed here: https://github.com/aws-amplify/amplify-js/blob/aws-amplify%403.0.22/packages/core/src/Credentials.ts#L356
Screenshots
What is Configured?
"aws-amplify": "^3.0.22",
Auth.configure({
userPoolId: 'eu-central-1_XXXXXXXXX',
userPoolWebClientId: 'XXXXXXXXXXXXXXXXXXXX',
identityPoolId: 'eu-west-1:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX',
identityPoolRegion: 'eu-west-1',
region: 'eu-central-1',
mandatorySignIn: false,
});
Analytics.configure({
disabled: false,
AWSPinpoint: {
appId: 'XXXXXXXXXXXXXXXXXXXXXXXX',
region: 'eu-west-1',
mandatorySignIn: false,
}
})
We don’t use Amplify CLI to set up resources; only the javascript client in a browser, so far.
But I think resource configuration is correct, because everything works when I apply these changes: https://github.com/juranki/amplify-js/commit/29af87c566749002c1f3d0a65c801940f8cd1d83
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:14 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@juranki thank you for the intense research. Okay I got it now. I will look into this and see we can make changes in our end. Thank you 😊
The patched version is one with this change applied: https://github.com/juranki/amplify-js/commit/29af87c566749002c1f3d0a65c801940f8cd1d83
I’m happy to submit that as a pull request if it’s selected as the correct way to fix the problem. But it very narrowly focuses on finding the correct provider name in this specific situation. I’m not familiar with amplify-js codebase so I chose a solution that can be applied locally in that one method.
But why was id pool region used, even if the configuration has entries for the regions of both id and user pools? This line caught my eye: https://github.com/aws-amplify/amplify-js/blob/aws-amplify%403.0.22/packages/auth/src/Auth.ts#L179
It appears to collapse the id and user pool regions into one setting and might have implications, besides the one I bumped into.