By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito Facebook IDP fails after signin

0

Good day!

We are planning to use cognito userpool for social login following developer's guide: Adding social identity providers to a user pool. Google IDP is working but Facebook sends us to an error page after logging in: "Sorry, something went wrong." Enter image description here

Can you help us determine what we are doing wrong? Below are some information with our implementation.

1. Facebook App Inputs:

Domain
https://fb-idp-test.auth.ap-northeast-1.amazoncognito.com

Website Site Url
https://fb-idp-test.auth.ap-northeast-1.amazoncognito.com/login?response_type=code&client_id=<userpool-client-id>&redirect_uri=https://www.example.com

Valid OAuth Redirect URIs
https://fb-idp-test.auth.ap-northeast-1.amazoncognito.com/oauth2/idpresponse

2. Cognito Userpool via CDK: Sample taken from github aws-samples cognito-idp-stack Facebook IDP. Added "public_profile" to scope per developer's guide.

    const facebookAppId = "XXXXXXXXXXXXXXXX";
    const facebookAppSecret = "XXXXXXXXXXXXXXXXXXXXXXXX";
    const redirectUri = "https://www.example.com";

    // Cognito User Pool
    const userPool = new cognito.UserPool(this, "CognitoIDPUserPool", {
      userPoolName: "fb-idp-userpool",
      selfSignUpEnabled: false,
      signInAliases: {
        email: true,
        username: true,
      },
      standardAttributes: {
        email: {
          mutable: true,
          required: true,
        },
        givenName: {
          mutable: true,
          required: true,
        },
        familyName: {
          mutable: true,
          required: true,
        },
      },
    });

    // Facebook IDP
    const idp = new cognito.UserPoolIdentityProviderFacebook(this, "FacebookIDP",
      {
        clientId: facebookAppId,
        clientSecret: facebookAppSecret,
        scopes: ["public_profile", "email"],
        userPool,
        attributeMapping: {
          email: cognito.ProviderAttribute.FACEBOOK_EMAIL,
          familyName: cognito.ProviderAttribute.FACEBOOK_LAST_NAME,
          givenName: cognito.ProviderAttribute.FACEBOOK_FIRST_NAME,
        },
      }
    );

    // Configure the user pool client application
    const userPoolClient = new cognito.UserPoolClient(this, "CognitoAppClient",
      {
        userPool,
        authFlows: {
          userPassword: true,
        },
        oAuth: {
          flows: {
            authorizationCodeGrant: true,
          },
          scopes: [
            cognito.OAuthScope.PHONE,
            cognito.OAuthScope.EMAIL,
            cognito.OAuthScope.PROFILE,
            cognito.OAuthScope.OPENID,
          ],
          callbackUrls: [redirectUri],
        },
        generateSecret: false,
        userPoolClientName: "Web",
        supportedIdentityProviders: [
          cognito.UserPoolClientIdentityProvider.FACEBOOK,
        ],
      }
    );

    // Make sure the user pool client is created after the IDP
    userPoolClient.node.addDependency(idp);

    // Add the domain to the user pool
    userPool.addDomain("CognitoDomain", {
      cognitoDomain: {
        domainPrefix: "fb-idp-test",
      },
    });

Thank you very much!

Regards,

Cyrus

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
Cyrus
asked 8 months ago271 views
2 Answers
0
Accepted Answer

We found out that unlike Google App which was readily in test mode, Facebook app needs another step which is to "Create Test App". From Facebook apps list dropdown, select your app and tap on "Create Test App". It will generate another App ID and App secret that should be registered in cognito for testing. Might be a good idea to have this information added as a note in the developer guide.

Enter image description here

Cyrus
answered 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
profile picture
EXPERT
Govind Kumar
reviewed 8 months ago
0

Hi,

You code doesn't make any override of the Facebook API version. Documentation recommends 2.12 as per https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-federation-with-social-idp.html

Facebook — Enter the app client ID and app client secret generated in the previous
 section, and then choose an API version (for example, version 2.12). We recommend 
choosing the latest possible version, as each Facebook API has a lifecycle and deprecation 
date. Facebook scopes and attributes can vary between API versions. We recommend testing
 your social identity log in with Facebook to ensure that federation works as intended.

The samples that you point to have a Facebook version variable (lines 57 & 320). But your code doesn't have such a variable. Default is probably not 2.12 as recommended, so you should set it..

In case you already overwrote the API, did you try to create a trail with CloudTrail to get more infos about the issue? The idea is to see if any call is made to Cognito API and with which parameters.

See https://docs.aws.amazon.com/cognito/latest/developerguide/logging-using-cloudtrail.html on how to do it.

Please, post those details when you have them if you need further support

Hope it helps, Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 8 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • Cyrus
    8 months ago

    Thank you for checking. From our investigation, minimum version supported is now at v11.0. And if not set (blank even in console), latest v17.0. is used so we left it as is. And, just now we found out what was causing our issue and it was very basic. We will add it as an answer. Thanks again.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content