Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Auth components don't support scopes

See original GitHub issue

Is your feature request related to a problem? Please describe. I’m using the provided react components to build the auth flow (@aws-amplify/ui-react). Unfortunately there doesn’t seem to be any possibility to request a scope on authentication. So it’s currently impossible to use this library for proper authentication.

Similar issues (closed without any reason): aws-amplify/amplify-js#3732 aws-amplify/amplify-js#1370. -> That issue already exists for years now

Describe the solution you’d like Hosted-UI supports this. But that is not an option for us. Would be great to pass the same configuration to the react components.

scope: ["email", "profile", "openid", "weather:read"],

Describe alternatives you’ve considered Unfortunately I don’t see any alternative solution possible with amplify-js.

-> I would really like to use this lib as it saves a ton of work. Thanks for that! Hope you can provide that feature (fix that bug 😉) soon 👍

Issue Analytics

State:
Created 3 years ago
Reactions:57
Comments:10

Top GitHub Comments

7reactions

mrichmancommented, May 6, 2020

I ran into this very issue today. I’m using Vue.js but it’s the same problem. The custom UI used by Amplify’s UI components implements the USER_SRP_AUTH flow. This flow is completely separate from the OAuth 2.0 flows. As a result, the access token I get back looks like this:

{
  "sub": "992b512f-130d-4da6-a9d3-a1a4227f82f5",
  "event_id": "e856b86d-7f44-46a8-8e02-4345ed1a6755",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1588775410,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_pNZrsdff",
  "exp": 1588782931,
  "iat": 1588779331,
  "jti": "000c94e0-9247-4f1e-ac0c-7aeb065d37f9",
  "client_id": "5gha7s6vka4qapbeape5i9resj",
  "username": "422b512f-130d-4da6-a9d3-a1a4117f82f5"
}

Notice the scope above.

When I try to invoke my HTTP API (not using REST) with a Cognito authorizer, passing the access token, I get the error: Bearer scope="email" error="insufficient_scope" error_description="expected scopes within the token".

Is the solution to use the Cognito hosted UI where we can get OAuth 2.0 scopes? If so, does that represent a compatibility issue with things like the Storage API (e.g. Storage.get())?

4reactions

andreashecommented, Dec 7, 2021

Did anyone use amazon-cognito-identity-js? In the changelog they mentioned custom scopes but I can’t see a hint how to define them. Anybody used this as alternative and get a token with access to API Gatway with cognito?

Top Results From Across the Web

Auth components don't support scopes · Issue #237 - GitHub

I'm using the provided react components to build the auth flow (@aws-amplify/ui-react). ... Auth components don't support scopes #237.

Permissions, Privileges, and Scopes - Auth0

The granted scopes allow the application to access only the user's resources, say the user's emails. Just as the user cannot access other...

OAuth2 scopes are NOT permissions - Aserto

OAuth2 scopes were never intended to be an authorization mechanism, and indeed are a really bad idea when used as a substitute for...

OAuth Scopes Best Practices | Curity

Best practices for designing OAuth scopes in real world systems and managing them at scale. Discover how to perform API Authorization using Scopes....

Authorization Scopes | Apps Script - Google Developers

OAuth verification Certain OAuth scopes are sensitive because they allow access to Google User Data. If your script project uses scopes that ...