amplify-js: "invalid_grant" when performing token exchange for SAML federated auth
Describe the bug
Upon upgrading to @aws-amplify/auth 3.2.8, federated signin using SAML failed with an “invalid_grant” error being returned from the token endpoint.
To Reproduce Steps to reproduce the behavior:
- Configure federated signin via linking to the hosted UI, follow the process and end up back at the application. When Amplify tries to obtain the token, invalid_grant is returned.
Expected behavior The user successfully logs in
Code Snippet This happens out of the box.
Screenshots
What is Configured?
If applicable, please provide what is configured for Amplify CLI:
- Which steps did you follow via Amplify CLI when configuring your resources. N/A
- Which resources do you have configured?
- If applicable, please provide your
aws-exportsfile:
- If applicable, please provide your
const awsmobile: IAWSAmplifyConfiguration = {
aws_appsync_authenticationType: "AMAZON_COGNITO_USER_POOLS",
aws_appsync_graphqlEndpoint: "https://2pnkrnf3wjbgpf2vvvq54zbssq.appsync-api.eu-west-2.amazonaws.com/graphql",
aws_appsync_region: "eu-west-2",
aws_cloud_logic_custom: [
{
endpoint: "https://7rgu0tycoc.execute-api.eu-west-2.amazonaws.com/dev",
name: "ApiGatewayRestApi",
region: "eu-west-2",
},
],
aws_cognito_region: "eu-west-2",
aws_project_region: "eu-west-2",
aws_user_pools_id: "eu-west-2_NkmYrUbwZ",
aws_user_pools_web_client_id: "1m6r4t2tn75mlr9koi6okdh045",
};
- If applicable, please provide your manual configuration example:
Auth.configure({
oauth: {
domain: "report-support-dev.auth.eu-west-2.amazoncognito.com",
scope: ["email", "openid"],
redirectSignIn: "http://localhost:3030",
redirectSignOut: "http://localhost:3030",
responseType: "code",
},
});
- If applicable, provide more configuration data, for example for Amazon Cognito, run
aws cognito-idp describe-user-pool --user-pool-id us-west-2_xxxxxx(Be sure to remove any sensitive data)
Environment
System:
OS: macOS 10.15.4
CPU: (12) x64 Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz
Memory: 317.27 MB / 32.00 GB
Shell: 3.2.57 - /bin/bash
Binaries:
Node: 14.1.0 - /usr/local/bin/node
Yarn: 1.22.4 - /usr/local/bin/yarn
npm: 6.14.5 - ~/Code/report-support/node_modules/.bin/npm
Browsers:
Chrome: 83.0.4103.61
Firefox: 76.0.1
Safari: 13.1
npmPackages:
@aws-amplify/auth: 3.2.7 => 3.2.7
@aws-amplify/core: ^3.2.2 => 3.2.9
@aws-amplify/ui: ^2.0.2 => 2.0.2
@babel/core: ^7.4.5 => 7.10.1
@babel/preset-env: ^7.4.5 => 7.10.1
@sentry/browser: ^5.15.5 => 5.15.5
@sentry/cli: ^1.52.3 => 1.53.0
@sentry/node: ^5.15.5 => 5.15.5
@types/chance: ^1.1.0 => 1.1.0
@types/cookie-parser: ^1.4.1 => 1.4.2
@types/csurf: ^1.9.35 => 1.9.36
@types/enzyme: ^3.9.3 => 3.10.5
@types/enzyme-adapter-react-16: ^1.0.5 => 1.0.6
@types/express: ^4.16.1 => 4.17.6
@types/jest: ^24.0.13 => 24.9.1
@types/multer: ^1.4.0 => 1.4.3
@types/node: ^12.0.3 => 12.12.42
@types/number-to-words: ^1.2.0 => 1.2.0
@types/qrcode.react: ^1.0.0 => 1.0.1
@types/react: ^16.8.19 => 16.9.35
@types/react-beautiful-dnd: ^12.1.1 => 12.1.3
@types/react-dom: ^16.8.4 => 16.9.8
@types/react-router-dom: ^5.0.0 => 5.1.5
@types/react-router-hash-link: ^1.2.1 => 1.2.1
@types/slug: ^0.9.1 => 0.9.1
@typescript-eslint/eslint-plugin: ^2.0.0 => 2.34.0
@typescript-eslint/parser: ^2.0.0 => 2.34.0
apexcharts: ^3.16.1 => 3.19.2
apollo-cache: ^1.3.4 => 1.3.5
apollo-cache-inmemory: ^1.6.5 => 1.6.6
apollo-client: ^2.4.7 => 2.6.10
apollo-link: ^1.2.13 => 1.2.14
apollo-link-http: ^1.5.16 => 1.5.17
apollo-utilities: ^1.3.3 => 1.3.4
awesome-typescript-loader: ^5.2.1 => 5.2.1
aws-amplify-react: ^4.1.5 => 4.1.12
aws-amplify-serverless-plugin: ^1.4.1 => 1.4.1
aws-appsync-auth-link: ^2.0.1 => 2.0.2
aws-appsync-subscription-link: ^2.0.1 => 2.1.0
aws-sdk: 2.631.0 => 2.631.0
axios: ^0.19.0 => 0.19.2
babel-loader: ^8.0.6 => 8.1.0
body-parser: ^1.19.0 => 1.19.0
bulma: ^0.8.0 => 0.8.2
caniuse-lite: ^1.0.30001039 => 1.0.30001066
chance: ^1.1.5 => 1.1.6
concurrently: ^5.0.0 => 5.2.0
cookie-parser: ^1.4.4 => 1.4.5
copy-webpack-plugin: ^6.0.1 => 6.0.1
core-js: ^3.2.1 => 3.6.5
css-loader: ^3.2.0 => 3.5.3
css-vars-ponyfill: ^2.1.2 => 2.3.1
cssnano: ^4.1.10 => 4.1.10
csurf: ^1.10.0 => 1.11.0
element-matches-polyfill: ^1.0.0 => 1.0.0
enzyme: ^3.10.0 => 3.11.0
enzyme-adapter-react-16: ^1.14.0 => 1.15.2
eslint: ^6.2.2 => 6.8.0
eslint-config-prettier: ^6.1.0 => 6.11.0
eslint-plugin-prettier: ^3.1.0 => 3.1.3
eslint-plugin-security: ^1.4.0 => 1.4.0
eslint-watch: ^6.0.1 => 6.0.1
express: ^4.17.1 => 4.17.1
express-handlebars: ^4.0.0 => 4.0.4
graphql: ^14.6.0 => 14.6.0
graphql-tag: ^2.10.1 => 2.10.3
helmet: ^3.18.0 => 3.22.0
imagemin-webpack-plugin: ^2.4.2 => 2.4.2
inquirer: ^7.0.0 => 7.1.0
jest: ^24.8.0 => 24.9.0
jest-cli: ^24.8.0 => 24.9.0
jest-extended: ^0.11.5 => 0.11.5
lodash: ^4.17.11 => 4.17.15
lost: ^8.3.1 => 8.3.1
mini-css-extract-plugin: ^0.9.0 => 0.9.0
moment: ^2.24.0 => 2.26.0
morgan: ^1.9.1 => 1.10.0
multer: ^1.4.2 => 1.4.2
node-sass: ^4.12.0 => 4.14.1
number-to-words: ^1.2.4 => 1.2.4
on-build-webpack: ^0.1.0 => 0.1.0
pg: ^8.0.0 => 8.2.1
postcss-css-variables: ^0.17.0 => 0.17.0
postcss-cssnext: ^3.1.0 => 3.1.0
postcss-import: ^12.0.1 => 12.0.1
postcss-reporter: ^6.0.1 => 6.0.1
prettier: ^2.0.2 => 2.0.5
qrcode.react: ^1.0.0 => 1.0.0
react: ^16.8.6 => 16.13.1
react-apexcharts: ^1.3.6 => 1.3.7
react-apollo: ^3.1.3 => 3.1.5
react-app-polyfill: ^1.0.3 => 1.0.6
react-beautiful-dnd: ^13.0.0 => 13.0.0
react-dom: ^16.8.6 => 16.13.1
react-router-dom: ^5.0.0 => 5.2.0
react-router-hash-link: ^1.2.2 => 1.2.2
react-scripts: ^3.0.1 => 3.4.1
report-validity: ^1.0.1 => 1.0.1
s3-deploy: ^1.3.0 => 1.4.0
sass-loader: ^8.0.0 => 8.0.2
sequelize: ^5.8.7 => 5.21.11
serverless: ^1.44.1 => 1.71.3
serverless-appsync-plugin: ^1.1.1 => 1.3.0
serverless-http: ^2.0.2 => 2.5.0
serverless-offline: ^5.0.1 => 5.12.1
serverless-plugin-aws-alerts: ^1.4.0 => 1.5.0
serverless-plugin-typescript: ^1.1.7 => 1.1.9
sharp: ^0.25.1 => 0.25.3
slug: ^3.0.1 => 3.2.0
source-map-support: ^0.5.12 => 0.5.19
tmp-promise: ^3.0.2 => 3.0.2
trix: ^1.1.1 => 1.2.3
ts-jest: ^24.0.2 => 24.3.0
typescript: ^3.4.5 => 3.9.3
umzug: ^2.2.0 => 2.3.0
uuid: ^8.0.0 => 8.1.0
webpack: ^4.32.2 => 4.43.0
webpack-cli: ^3.3.2 => 3.3.11
webpack-dev-server: ^3.4.1 => 3.11.0
webpack-subresource-integrity: ^1.3.2 => 1.4.1
xkcd-password: ^2.0.0 => 2.0.0
xlsx-populate: ^1.19.1 => 1.21.0
Smartphone (please complete the following information):
N/A
Additional context AWS support case ID 7045885611 contains more information (for Amazon staff)
You can turn on the debug mode to provide more info for us by setting window.LOG_LEVEL = ‘DEBUG’; in your app.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 29 (6 by maintainers)
@mrgoos the code was initially set up a while ago by a dev who left the team so I’m not sure what guide was followed. We don’t use the Amplify CLI though, just the libraries with aws-amplify-serverless-plugin to generate the exports file for each environment during deploy. We’re configuring the SAML integrations using the Cognito console, as as far as I can tell CloudFormation doesn’t support that level of configuration meaning we’re having to do it manually.
Can you try commenting the
scopeattribute fromoauthconfiguration. Does it return the correct scope on the token with the old version of the library if you only pass one?@cnorthwood could be a different issue, can you check if you see two network request to
.../tokenendpoint.If you see more than one network request and the first succeed, try to only
configureAmplify or Auth only once.