cognito-at-edge: 503 ERROR due lambda timeout after tokens are fetched
What happened:
My cloudfront dist redirects me to the cognito login UI and I successfully auth. After that, I get directed to the cloudfront 503 error page rather than my s3 static content:
503 ERROR
The request could not be satisfied.
The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
Request ID: BO_FjHzTRlnA-HWDVRWznjZbcpOBBMjEAT2mwvZUxje6BITPn2bbJg==
The logs in my lambda@edge appear to show the initial invocation successfully recirecting the user to the UI page:
logs
{
"level": 20,
"time": 1705676579380,
"msg": "Handling Lambda@Edge event",
"event": {
"Records": [ ....big blob redacted here ]
}
}
{
"level": 20,
"time": 1705676579400,
"msg": "Cookies weren't present in the request"
}
{
"level": 20,
"time": 1705676579400,
"msg": "User isn't authenticated: Error: Cookies weren't present in the request"
}
{
"level": 20,
"time": 1705676579400,
"msg": "Redirecting user to Cognito User Pool URL https://***********"
}
Then after entering my login credentials, after 5s I am presented with the 503 screen in the browser. The lambda appears to time out after fetching the tokens.
logs
{
"level": 20,
"time": 1705676947082,
"msg": "Handling Lambda@Edge event",
"event": {
"Records": [...redacted blob]
}
}
{
"level": 20,
"time": 1705676947102,
"msg": "Cookies weren't present in the request"
}
{
"level": 20,
"time": 1705676947102,
"msg": "User isn't authenticated: Error: Cookies weren't present in the request"
}
{
"level": 20,
"time": 1705676947102,
"msg": "Fetching tokens from grant code...",
"request": {
"url": "https://****.auth.****.amazoncognito.com/oauth2/token",
"method": "POST",
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data": "client_id=******&code=******&grant_type=authorization_code&redirect_uri=******.cloudfront.net"
},
"code": "******"
}
{
"level": 20,
"time": 1705676949484,
"msg": "Fetched tokens",
"tokens": {
"id_token": "*****",
"access_token": "****",
"refresh_token": "****",
"expires_in": 28800,
"token_type": "Bearer"
}
}
About this issue
- Original URL
- State: open
- Created 5 months ago
- Reactions: 2
- Comments: 21 (10 by maintainers)
Got it. I can just use patch-package for now. Since this is an issue I believe being able to conditionally turn off the use of refresh tokens should be useful to more than just two of us
Ohh I see, I should give it a try 🤔
@ckifer yes that’s the only way as far as I know, I can make a PR later when I have time on the weekend (but not sure how useful it would be to people).
That’s actually a solid workaround, nice!
Ops, actually it didn’t help, I tested it wrong. I understand the issue on my end a bit better, and turns out I have the same problem as you @ckifer. When a token is expired it has to verify the token, then verify the refresh token and then fetch the new token - process seems to take longer than 5s time limit when cognito and cloudfront locations are far apart. I still have the timeout increased for the
SimpleJsonFetcherin place but it hasn’t really resolved it for me. Did you manage to find something that fixes it @ckifer ? ThanksHey guys, I was having the same issue, and thankfully I was able to come across this issue and resolve the problem with what @mishabruml has suggested, thanks 🙏 .