By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to properly integrate AWS Cognito with Django Backend using Mozilla OIDC and React Frontend using Amplify?

0

Setup Context: Backend: built in Django, successfully integrated to Cognito through Mozilla OIDC, using a Confidential App Client with a Secret key. Frontend: built in React, adding integration to Cognito through Amplify (with "Authenticator" from "@aws-amplify/ui-react"), using a Public App Client -no secret key-. Migration: we have the following triggers enabled: "Migrate user Lambda trigger", "Pre authentication Lambda trigger", and "Pre sign-up Lambda trigger".

How do I believe the flow is suppossed to work? (broadly speaking)

  1. User attempts to login from the frontend.
  2. Cognito checks for the user being in the UserPool.
  3. a. If the user is found in the UserPool, it logs him in.
  4. b. If the user is NOT found in the UserPool, it should trigger the UserMigration event.
  5. When triggered the UserMigration event, the lambda handler checks in our database if the user exists there. If it exists, it seamlessly migrates him to the UserPool and logs him in, and the user is authenticated in the backend too -due to the Mozilla OIDC integration-

Current situation: The flow described above works perfectly when using the backend server and the Hosted UI from the backend. But, when attempting to log in from the frontend, it triggers the PreAuthentication_Authentication event:

{'version': '1', 'region': '********', 'userPoolId': '**********', 'userName': '1c9ae3a8-b507-417a-87c7-************', 'callerContext': {'awsSdkVersion': 'aws-sdk-unknown-unknown', 'clientId': '3hm6vvg******************'}, 'triggerSource': 'PreAuthentication_Authentication', 'request': {'userAttributes': {}, 'validationData': None, 'userNotFound': True}, 'response': {}}

but when it doesn't find the user in the UserPool ( 'userNotFound': True), it just throws an error "Incorrect username or password."

Can you detect any error in the configuration or setup? Am I missing something? Are we suppossed not to use a Public App Client or a client without a secret key for this kind of set up? Clearly the Lambda has the permissions and works because for the frontend IS in fact triggering the "PreAuthentication_Authentication" event, just not triggering the "UserMigration_Authentication" (and for the attempts from the backend with the Cognito's Hosted UI it triggers both and works perfectly).

Topics
ServerlessComputeFront-End Web & MobileSecurity, Identity, & Compliance
Tags
AWS LambdaAWS AmplifyAmazon CognitoAmazon Cognito User Pools
Language
English
andresdeinnocentiis
asked 3 months ago464 views
1 Answer
0

Hello there,

Firstly I would like to inform you that secret with the app client does not impact lambda triggers in any ways.

As per the understanding of the flow described above when prevent user existence errors will be disabled , and user does not exist ideally only the migrate user lambda trigger should be invoked.

Amplify by default uses 'USER_SRP_AUTH' auth flow.'USER_SRP_AUTH' flow is not supported by UserMigration lambda trigger.

Before you add a user migration trigger, activate the USER_PASSWORD_AUTH or ADMIN_USER_PASSWORD_AUTH flow in the settings of your app client. You must use these flows instead of the default USER_SRP_AUTH flow. Amazon Cognito must send a password to your Lambda function so that it can verify your user's authentication in the other directory. An SRP obscures your user's password from your Lambda function.

Please do refer

[+]https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-using-lambda.html

So I would suggest over-riding this by following

[+]https://aws-amplify.github.io/docs/js/authentication#manual-setup

Amplify.configure({ Auth: { // ... // OPTIONAL - Manually set the authentication flow type. Default is 'USER_SRP_AUTH' authenticationFlowType: 'USER_PASSWORD_AUTH'

I have also found one third party article regarding the similar issue.I would suggest you to go through same

[+]https://github.com/aws-amplify/amplify-js/issues/2634

For the detailed discussion regarding the use case,I would suggest to engage support through a support case , so we know the resources involved and will be able to troubleshoot better.

I hope that the above information helps to address your concerns

AWS
Anjali_R
answered 3 months ago
  • andresdeinnocentiis
    3 months ago

    Hi Anjali! First of all, thank you for your answer to my question, we didn't know about that, but we tried it, yet it won't recognize the flow we're manually setting.

    Even though we set Amplify.configure Auth to authenticationFlowType: 'USER_PASSWORD_AUTH', the payload is still showing as "AuthFlow": "USER_SRP_AUTH".

    Clearly you were spot on on the issue, but we can't get it to recognize the USER_PASSWORD_FLOW. (We have that flow enabled in the App client, and disabled the USER_SRP_FLOW)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content