Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to disable calls to `AWSCognitoIdentityProviderService.GetUser` when `aws.cognito.signin.user.admin` is disabled?

See original GitHub issue

** Which Category is your question related to? ** Auth

** What AWS Services are you utilizing? ** Cognito User Pool

** Provide additional details e.g. code snippets **

I searched the issues before posting this, but am still looking for an answer. It seems that the amplify javascript sdk will always make 2 calls to POST https://cognito-idp.{region}.amazonaws.com using the X-Amz-Target: AWSCognitoIdentityProviderService.GetUser header after a successful user login, and we would like to disable these. They succeed when the aws.cognito.signin.user.admin oauth scope is allowed, but when disallowed, they return a 400 Bad Response.

We have the oauth scope in question disabled and want to keep it disabled. I found a similar question in #1262, but the answer only says it is “expected behavior” with no explanation as to why. Our app functions perfectly fine when the scope is disabled and the requests error out. Can we disable the calls? If so how, and if not, why?

I also read #1906, #2251, and #1813, and updated our aws-amplify dependency to 1.1.22, but still seeing the same behavior.

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:13 (6 by maintainers)

Top GitHub Comments

1reaction

powerful23commented, Mar 18, 2019

@danludwig the scope in the config object is only used when using Cognito’s OAuth feature(Also as know as Cognito Hosted UI) to allow the developers to specify the scopes of the token: https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

This will not impact this change because we are always reading the scope by decoding the current access token which will ensure whether we have the permission to make this call.

1reaction

elorzafecommented, Mar 15, 2019

@danludwig we reproduce this issue and with @powerful23 we are working on pr to fix this. Thanks!

Top Results From Across the Web

AdminDisableUser - Amazon Cognito User Pools

Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses...

GetUser - Amazon Cognito User Pools

Gets the user attributes and metadata for a user. ... The user name of the user you want to retrieve from the get...

AdminGetUser - Amazon Cognito User Pools

Gets the specified user by user name in a user pool as an administrator. Works on any user. Calling this action requires developer...

AdminCreateUser - Amazon Cognito User Pools

This message is based on a template that you configured in your call to create or update a user pool. This template includes...

UpdateUserPoolClient - Amazon Cognito User Pools

You can also use this operation to enable token revocation for user pool clients. ... Possible values provided by AWS are aws.cognito.signin.user.admin ....