By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Open Search: problems with Cognito not sending proper CORS headers

1

Hello,

In us-east-1 region I have an AWS managed Open Search cluster. I have created this cluster with Fine-grained access control enabled with Internal user data base. I have enabled Cognito, with this configuration:

  • a User pool
  • a Identity pool
  • with IAM role name: CognitoAccessForAmazonOpenSearch

I have a problem with Cognito. I can create new users from AWS Cognito console and later use them to log in into the Open Search cluster. I can see Open Search indexes and run queries over the indexes. But I experience some weird behaviors, here they are listed from the most to the less important:

  1. After having logged in using user and password, I can navigate normally Open Search (e.g. query my indexes or look at my dashboards). But then, after some X amount of seconds/minutes, I start seeing some pop ups in the down right corner showing a "forbidden" message, and if I open the Developer Console I see a lot of CORS issues. The CORS issues are due to Cognito as it doesn't return the Allowed Origins header, in fact it is Open Search website making calls to Cognito API, not sure what for. I know my JWT tokens are not expiring because this issue happens a few moments later after logging in, and the JWT tokens are configured like this:

Authentication flow session duration 3 minutes

Refresh token expiration 30 day(s)

Access token expiration 1 day(s)

ID token expiration 1 day(s)

Advanced authentication settings Enable token revocation Enable prevent user existence errors

The issue tends to happen more when I go to the Anomaly menu in Open Search. There is nothing in the documentation about CORS, Cognito and Open Search. This happens in any browser. I would have attached a HAR file but re:Post doesn't give me the option. The consequences of this CORS issues is that I can't do anything in Open Search website. Sometimes the mentioned pop up doesn't even appear, but the page stays blank and it doesn't show anything. The message from the browser console is very clear:

(Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403

  1. Sometimes, after entering user and password, it seems like OpenSearch is trying to show the homepage, and after a few seconds it shows the pop up saying "Sing In as.." and we have to select again our user. This doesn't make sense because we have previously entered our user and password successfully.

Issue number 1 is the most urgent for me. This prevents me from using the Open Search cluster normally. One would think that this is a bug in Cognito as it is not allowing API calls from the Open Search domain.

Thanks to all!

Topics
Security, Identity, & ComplianceServerlessAnalytics
Tags
Amazon CognitoAmazon OpenSearch Service
Language
English
Alessio
asked 7 months ago284 views
3 Answers
0

Hello,

Thank you for reaching your question I understand that you are running into an issue with Cognito and open search. The first issue you are seeing is that after an arbitrary amount of time you are getting a CORS issue and the second issue is that you sometimes have to sign in twice. In order to best assist with this issue we would need to review the HAR file that you created that encompasses the error. I would recommend creating a ticket with AWS support where you can attach the relevant HAR file and an engineer can then assist with any additional troubleshooting for this specific issue.

Thank you.

AWS
SUPPORT ENGINEER
Patrick_V
answered 7 months ago
0

I'm having the same issue. After I log in, I get this screen with this message:

Enter image description here

Checking in the developer console, all requests raise this error (or similar, all related to CORS)

Access to <resource> at 'https://<cognito-subdomain>.auth.<region>.amazoncognito.com/login?response_type=code&client_id=<client_id>&redirect_uri=https://<os-subdomain>.<region>.es.amazonaws.com/_dashboards/app/home&state=<state>' (redirected from 'https://<os-subdomain>.<region>.es.amazonaws.com/_dashboards/ui/fonts/source_sans_3/SourceSans3-Light.otf.woff') from origin 'https://<os-subdomain>.<region>.es.amazonaws.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

What are we missing? Why is cognito not sending proper CORS policy?

Thank you,

Jose Ariza
answered 6 months ago
0

I was able to make it work adding es:ESHttp* action to the policy attached to the logged in user. Seems that the user needs to be able to perform all EShttp actions in the dashboard to use it properly.

Thank you,

Jose Ariza
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content