By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Amplify session expire/logout after using AWS SNS or AWS SES

0

[Note: unresolved question from before with new insights]

Environment:

  • iOS app with Amplify using Swift
  • Cognito User/Identity Pools for authentication
  • AWS SNS and SES services requiring authorized users
  • Authorization using Cognito tokens from Identity Pool

Problem:

  • I am using Amplify to automatically manage the auth flow of users within my app
  • I am using AWS SES and AWS SNS for various purposes within my app.
  • I can use these services within the app robustly and the auth states are managed successfully via Cognito tokens.
  • The user remains signed throughout the app experience and the token refreshing capabilities work as desired (this has been validated thoroughly by logging and testing a variety of scenarios).
  • When I then terminate the app and launch it again, the user is no longer signed in and when I fetch the session the log outputs the following error (blurred out actual credential details):

Session: { "AWS Credentials" = "["accessKey": "...", "sessionToken": "...", "secretAccessKey": "...", "expiration": 2024-11-29 09:44:47 +0000]"; cognitoTokensError = "AuthError: There is no user signed in to retreive cognito tokens\nRecovery suggestion: Call Auth.signIn to sign in a user and then call Auth.fetchSession"; identityId = "..."; isSignedIn = false; userSubError = "AuthError: There is no user signed in to retreive user sub\nRecovery suggestion: Call Auth.signIn to sign in a user and then call Auth.fetchSession"; }

  • I have implemented a centralised auth management system which watches for changes to auth states such as session expiration or signouts using "Amplify.Hub.listen(to: .auth)" but there is no evidence of any expiration or signout throughout the entire use of the app.
  • As the user is signed out, it is not a matter of token expiration/renewal as was previously suggested, as there is no user to retrieve tokens.

Attempted Solutions:

  • Force refreshing the cognito tokens after using SNS or SES to ensure that Amplify and AWS have synchronised credentials and would not lead to any inconsistencies.
  • Decoupled the AWS service authentication from Amplify.
  • More robust error handling and retry mechanisms

I am truly lost at this point so any help or direction is appreciated.

1 Answer
0

Based on the information provided, it appears that you're experiencing an unexpected sign-out issue with AWS Amplify in your iOS app after using AWS SNS or SES services. This problem seems to persist even after app termination and relaunch, despite your efforts to manage authentication states and token refreshing.

The error message you're seeing indicates that there is no signed-in user when you try to fetch the session after relaunching the app. This suggests that the user's authentication state is not being properly persisted or restored between app sessions.

Here are some potential reasons and solutions to consider:

  1. Token Persistence: Ensure that Amplify is configured to persist authentication tokens locally. Check your Amplify configuration to make sure token persistence is enabled.

  2. Keychain Issues: On iOS, Amplify typically uses the device's Keychain to store authentication information. There might be an issue with Keychain access or data storage. Verify that your app has the necessary Keychain entitlements and that there are no restrictions preventing Amplify from accessing the Keychain.

  3. Amplify Version: Ensure you're using the latest version of Amplify libraries. There might have been bug fixes or improvements related to authentication state management in newer versions.

  4. Auth State Listener: While you mentioned implementing a centralized auth management system using Amplify.Hub.listen(to: .auth), double-check that it's correctly set up to handle all possible auth state changes, including those that might occur during background app states.

  5. AWS SDK Conflicts: If you're using the AWS SDK directly for SNS and SES alongside Amplify, there might be conflicts in how credentials are managed. Ensure that you're using consistent authentication methods across your app.

  6. Global Sign-Out: Check if there's any unintended global sign-out occurring. A global sign-out invalidates all refresh tokens issued to a user across all devices.

  7. Session Duration: Verify the session duration settings in your Cognito User Pool. If the session duration is set too short, it might cause unexpected logouts.

  8. Error Handling: Implement more comprehensive error handling around authentication operations, especially when the app returns to the foreground or launches. This might help identify the exact point where the authentication state is lost.

  9. Logging: Implement detailed logging for authentication states, token refreshes, and AWS service calls to help pinpoint where the issue occurs.

If none of these suggestions resolve the issue, you may need to reach out to AWS Support for more in-depth troubleshooting, as this behavior seems unusual given the robust nature of Amplify's authentication management.
Sources
Sign-out - AWS Amplify Gen 2 Documentation
Sign-out - AWS Amplify Gen 2 Documentation
Sign-out - AWS Amplify Gen 2 Documentation
Sign-out - AWS Amplify Gen 2 Documentation

profile picture
answered 8 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions