Not able to get any OAuth or Custom Scopes in Access Token #3732
Comments
|
@hanslai Have you tried using Auth.federatedSignIn as described here? |
haverchuck
added
Auth
|
@haverchuck, I thought FederatedSignIn is for social provider only, but our App does not use any social providers, we are only use Cognito for now. Or I didn't understand this correctly? Is it possible for me to use FederatedSignIn without any social provider but Cognito user pool only? I understand that Cognito User Pool itself is a valid OAuth2/OIDC Identity Provider, so I was able to get the OAuth2 Scopes from the token endpoint. Yet, just not sure how to do it with Amplify. |
|
@hanslai - Apologies- I misread your question. I'll try to look into this further. |
|
@haverchuck any update on this? |
|
@hanslai I believe that if you want to use OAuth, you would still call To do this basic OAuth flow, you would need to setup a Hosted UI domain and redirect / signout URLs, which the Amplify CLI can assist you with. |
|
This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems. |
|
This is a fairly critical issue in my opinion because having the access token without scopes makes it unusable when accessing an API gateway which is secured by specifying scopes. The only options left to have a functional workflow are either to use the hosted UI (which is really limited in terms of customization) OR to use the identity token as a form authorization (which is an anti pattern) |
|
Please make this work! We need to be able to send the access token to our backend and call the userinfo endpoint there to get some information about the user. |
|
I´m having the same issue. I can´t get the custom scopes back using Amplify, I only get them back using the custom UI. |
|
Don't understand how this issue is closed when lot of people is requesting this feature!! |
|
Same problem here... How do I get custom scopes in access token? |
|
Given that you can request custom scopes when authenticating using the hosted UI via the Cognito User Pool (as opposed to Facebook), I expect authentication via the Amplify Authenticator React/VueJS component to support exactly the same feature. In both cases (hosted UI or Authenticator component), you are still using Cognito User Pool as an IdP and should be able to request your desired scopes. |
|
Any updates on this issue? I'm having the exact same problem |
|
I'm also unable to protect API gateway endpoints with the For example, (using serverless framework), I'm only able to check for functions:
protectedViaScope:
handler: src/protected.handler
events:
- http:
path: protected
method: post
cors: true
authorizer:
type: COGNITO_USER_POOLS
authorizerId:
Ref: ApiGatewayAuthorizer
scopes:
# Hack/workaround: only aws.cognito.signin.user.admin works =(
- aws.cognito.signin.user.admin
# 👇 wont work b/c scopes arent on the accessToken
# - users/delete
# - users/addHow are people working around this amplify/cognito limitation? Only using IAM roles? |
|
I think it is also true that not every user wants the admin scope
A regular user of an application does not need user admin rights on Cognito, probably just wants some sort of read/write access to parts of an application back-end. |
|
This is also an issue for us |
|
We are also impacted by this issue. Very similar use case to @DavidWells. We have protected a few different API Gateway endpoints using different custom scopes and the only scope we ever get back when using AmplifyJS is the |
|
We are also impacted by this issue. Can't write e2e integration tests because the token does not have the necessary scopes to hit api gateway. |
|
+1 on this being an issue for our team. Amplify is useless if we want custom login UI and use API Gateway with custom scopes. |
|
+1 also experiencing this issue |
|
@abdallahshaban557 Any luck this month? |
|
any update on this? It seems like aws is going down the drain, time to move to GCP. |
|
Hey that’s awesome to hear. Thanks a lot Chris.
…On Fri, Sep 22, 2023 at 1:06 PM Chris Womack ***@***.***> wrote:
Hey, @jamesh38 <https://github.com/jamesh38> and @shaktiks
<https://github.com/shaktiks> 👋. We can't announce an exact release date
just yet, but this feature is actively being worked on and planned for an
upcoming release. As soon as we can communicate an actual day it will be
available, we'll be sure to do so!
—
Reply to this email directly, view it on GitHub
<#3732 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA3OHUSBXCXPMN5IWIRX7F3X3XARRANCNFSM4IG2QWQQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
hey @cwomack thanks for looking into this |
|
Any update on this? Something I'm also running into unfortunately. I'm very close to choosing to migrate off of amplify and roll auth myself. |
Just to be clar, you don't need to "roll auth yourself". You can still just use Cognito without Amplify. Yes you can still only get the custom scopes if you use the Amazon Cognito provided Hosted UI (Which provides all of the Authentication journeys (Signup, Login, Password Reset and MFA) out of the box), but in my investigations it turns out that custom scopes aren't really needed that often, it's an anti-pattern to use them for User Permissions and you should be using another system to handle that. Machine-to-Machine stuff can use Cognito just fine to get customer scopes. |
|
Seems to have been fixed on Cognito User Pools: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/ |
|
I'm just confirming that it is now possible to add custom scopes to the access token generated using Amplify. We were able to get this working using the steps found on: The lambda function we used is taken from the example on that page: export const handler = function(event, context) {
event.response = {
"claimsAndScopeOverrideDetails": {
"accessTokenGeneration": {
"scopesToAdd": [
"openid",
],
"scopesToSuppress": [
"aws.cognito.signin.user.admin"
]
},
}
};
// Return to Amazon Cognito
context.done(null, event);
};Which generates the following access token: {
"sub": "xxxx",
"iss": "https://xxxx.amazonaws.com/xxxx",
"client_id": "xxxx",
"origin_jti": "xxxx",
"event_id": "xxxx",
"token_use": "access",
"scope": "openid",
"auth_time": 1705450802,
"exp": 1705451102,
"iat": 1705450802,
"jti": "xxxx",
"username": "xxxx"
} |
It requires to use Probably for most of us using scope |
|
I was quite pleased when I saw the announcement that is was possible to modify the But then like @sgasior I realized it requires opting into **This is a 809.09% price increase per user. ** 😭 Surely there is a way to enable the new We just need this one simple feature, not everything that is included in the 
|
|
My annoying work around is to use AWS SDK GetUserCommand when the user only has the |
|
Hello! Any status update on this? Is there any workaround? We just made big refactoring in backend to support custom scopes and after that we realised that our apps made with amplify wouldn't work with it anymore. This is frustrating situation. |
|
We gave up on Amplify/Cognito. We've tried on multiple occasions to find a way to make it viable with different projects and, ultimately, this is the main issue that keeps us from using it. This thread is 5 years old and still active yet I haven't seen any indication that the team has any plans of fixing this. Beyond that, they should not advertise this product as a feature-complete authentication service because it isn't. More and more teams are committing to using this product only to realize it doesn't do as advertised after the build out their applications to it. What a let down. |
They fixed it December last year https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/ @apekkar |
|
@Meags27 thanks for the link and clarification. Unfortunately, as @DavidWells mentioned in his comment, you must enable advanced security features in order to use this which drastically increases the cost and contains a lot of features we do not need. This decision means that this product will continue to not be viable for our team. |
|
Is there any update on this? the solution as mentioned by multiple users involves a crazy diference in cost per user which I find unaceptable and unviable, however I apreciate that at least there was something made about this issue however is far form the ideal solution |
|
Enabling advanced security features for this simple feature sounds crazy. I would appreciate it if the Cognito team could look at this request. |
|
We're in the same boat. After reading this, we are landing where many of you have already. The markup per MAU is way too expensive to justify access token customization. What's funny is I don't even want customization. I want the scopes that are setup on the user pool app client to simply be on the access token. That's not customization, that feels more like "the way it should work". For now we are choosing to not use authorization scopes until we can move away from the Amplify JS libraries. |
|
Any update here? It's insane that this still continues to be an issue. |
github-actions
bot
added
the
pending-maintainer-response
So... 2 years have passed, and we still need an adequate solution (the new bill multiplier feature is not an option). The good thing is that I have this thread pinned, and now I can make the right decision not to use Cognito at the beginning of the new project :D |
|
This is really bullshit coming from AWS. This is just an example of a simple thing that never can be done right. I am also stuck now thinking what to do next. In the pre trigger lambda, it is defining its own custom scopes and bypassing the Resource Server? |
|
First i had issues with Cognito requiring saml 2.0 redirect binding and the idp i need to add only supports POST Next time im just going to use keycloak |
and others
Which Category is your question related to?
Cognito, Oauth2/OIDC Access Token
What AWS Services are you utilizing?
Cognito User Pool
Provide additional details e.g. code snippets
Using either Auth.signIn or the Vue Authentication Components are not able to get any OAuth or Custom Scopes.
Sorry, I only have a image of the source my coworker sent me.
I also tested, I was able to get the OAuth scopes if I use the Token Endpoint in Postman
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
Or do we have to use https://github.com/aws/amazon-cognito-auth-js to get the scopes? But with Amplify I wonder do we still need to use this amazon-cognito-auth-js library? Actually, I am confused why there are two JS libraries for cognito.
both #1884 and #1370 have the same problem, which is not solved but closed. It has been almost a year on this issues already. Any update on this?
The text was updated successfully, but these errors were encountered: