amplify-js: PreAuthentication trigger not triggered in Custom Auth Flow
** Which Category is your question related to? ** Auth
** What AWS Services are you utilizing? ** Cognito
** Provide additional details e.g. code snippets **
I have an issue with the Cognito PreAuthentication trigger not triggered when an user sign-in
We are using a Cognito user pool with only CUSTOM_AUTH_FLOW_ONLY auth to do a passwordless authentication system.
I my CloudFormation template I have configured a lambda to handle the trigger :
# ...
PreAuthentication:
Type: AWS::Serverless::Function
Properties:
CodeUri: build/lambda-triggers/pre-authentication/
Handler: pre-authentication.handler
Runtime: nodejs12.x
# ...
PreAuthenticationInvocationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt PreAuthentication.Arn
Principal: cognito-idp.amazonaws.com
SourceArn: !GetAtt UserPool.Arn
# ...
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Ref UserPoolName
Schema: # ...
Policies: # ...
UsernameAttributes:
- email
MfaConfiguration: "OFF"
LambdaConfig:
CreateAuthChallenge: !GetAtt CreateAuthChallenge.Arn
DefineAuthChallenge: !GetAtt DefineAuthChallenge.Arn
PreSignUp: !GetAtt PreSignUp.Arn
PreAuthentication: !GetAtt PreAuthentication.Arn # Here
VerifyAuthChallengeResponse: !GetAtt VerifyAuthChallengeResponse.Arn
PostAuthentication: !GetAtt PostAuthentication.Arn
# ...
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: email-auth-client
GenerateSecret: false
UserPoolId: !Ref UserPool
ExplicitAuthFlows:
- CUSTOM_AUTH_FLOW_ONLY
For now the lambda implementation is useless:
import { CognitoUserPoolTriggerHandler } from "aws-lambda";
export const handler: CognitoUserPoolTriggerHandler = async (
event,
context
) => {
console.log(event, context);
// return event;
throw new Error("Is this really executed?");
};
When I deploy the lambda it appear correctly in the Cognito UI as the registered trigger.
But impossible to have the function to be executed on sign in (nor sign up):
const newCognitoUser = await AmplifyAuth.signIn({
username: email,
password: "",
validationData: { some_data: "foo_bar" },
});
# No PreAuthentication lambda triggered
# Others triggers works perfectly.
Is this an issue Aplify or is that an issue with my understanding of the auth process?
About this issue
- Original URL
- State: open
- Created 4 years ago
- Reactions: 2
- Comments: 41 (9 by maintainers)
Same here, any updates on when this could be fixed?
After contacting the AWS support it’s a know bug: the pre-authentification hook is not called on custom auth flow
any update on it?
I implemented custom challenge mode to add passwordless login with sms-code and wanted to prevent fraud sms sending in case recaptcha is missing (sms is sent in create challenge trigger) . the only trigger that seems to fit this purpose is pre auth since it does have access to metadata that client can send, but this trigger is not called with custom challenge mode…
This bug is killing us. We use a custom cognito authentication flow (magic links) and we wanted to allow our users to choose to get their magic link via email or sms. We wanted to use
ClientMetadatafromAuth.signInin order to convey the information{sendLinkViaSms: boolean}so that our custom lambdas know wether to send an email or a SMS.The only trigger called with
ClientMetadataonInitiateAuthisPreAuthentication(documented here). Our plan was to update a user custom attribute with this information, so that the trigger responsible to send the magic link (CreateAuthChallenger) could read that info and send the message on the approriate channel.But with this bug, we have no way of transmitting business logic information from the user to the cognito triggers, seriously limiting our feature development capabilities.
Hit this issue as well… Would love to see this issue get fixed as it’s also impacting my passwordless workflow.
Any updates on this?
I appreciate the opportunity to delve deeper into this issue. We’ve been grappling with a significant limitation in AWS Cognito’s custom authentication flow, specifically concerning the pre auth Lambda trigger’s inability to discern which custom flow is being initiated. This is not just an inconvenience; it’s a critical bottleneck that’s been persisting for three years.
Amazon documentation indicates that clientMetadata should be passed to the lambda handler for the following triggers (Define Auth challenge , Create Auth challenge and Verify Auth challenge) but in reality the content of clientMetadata is never passed to the lambda.
Despite this bug, we’ve successfully implemented passwordless authentication. However, the rigidity of the system that result from this bug precludes us from adding additional authentication flows, such as one that would allow admin users to impersonate customers for support purposes, without convoluting our architecture. In effect, only one custom_flow can be implemented for any given pool until this issue is resolved.
This constraint has compelled us to rely on an external database for storing authentication metadata. Not only has this approach been cost-intensive to implement and deploy, but it has also introduced unnecessary complexity into our infrastructure, complicating our deployment process significantly.
Ideally, we would leverage clientMetadata to streamline this process, but the current bug hinders us. This would not only simplify our authentication flow but also enhance our system’s security and performance by reducing the dependency on external databases, which could be a potential vector for vulnerabilities.
Could your team, @nadetastic , consider providing an enhancement where the aforementioned triggers can receive information about the chosen authentication flow, or could you suggest an alternative approach that does not involve external databases?
Thank you for addressing this long-standing issue. Your guidance on potential workarounds or planned updates would be greatly appreciated, as it would significantly impact our development strategy and resource allocation.
Hi all,
Due to the activity on this issue, I’m gonna re-open this in order to provide communication regarding support for Cognito Triggers with Custom Auth Flows. As mentioned in some of the above comments( here and here), this is a limitation from Cognito. Will provide any information on this issue once there is an update form Cognito.
any news on this? 😃
Is there any development on this issue?
All thank you for the feedback in regards to this. As @elorzafe has callout, this issue is not related to Amplify and more so for Amazon Cognito. Amplify is used as a proxy to AWS resources such as Amazon Cognito. We will look to talk to them internally about this however, I do recommend reaching out to Amazon Cognito via their forums.
Would be nice to see it fixed though