Comments (12)
Reproduced this issue and tracked it down to what I think is a bug in the Cognito hosted UI. The button to sign you in has a malformed link in it. Malformed because URL encoding has been undone:
onclick="window.location.href='/oauth2/authorize?identity_provider=azuread&redirect_uri=https://dtnlf3ngbtlae.cloudfront.net/parseauth&response_type=CODE&client_id=2knta0on4nrficrr56eomlnlat&state={\"nonce\":\"Tmaw0sx_MzhSLUrL\",\"requestedUri\":\"\/\"}&code_challenge=Dz9TSnEQ4qvZ
Now the "{" and "}" in the state parameter in there trigger the error. If you change them manually to %7B and %7D, their proper URL encoded values, then the URL does work and you sign in nicely.
The Lambda@Edge functions we use to redirect to Cognito, do use nicely encoded URL's, with %7B and %7D in there, but this is apparently decoded somewhere by Cognito when forming the link under the button.
We could probably work around this issue by not using an URL encoded JSON object, but then another scheme must be invented to encode the two state values (nonce and requested uri) in one string. I might get to that but meanwhile I will log this issue to the Cognito team also. I suggest you do the same, if this is important to you (raise a support ticket).
from cloudfront-authorization-at-edge.
Hi. Thanks for reporting this. I haven’t spend any time at all at making this work with SAML federation. Would be great if it did. I’ll try, when I have bandwidth, to spin up a saml idp and test this. If you can help out with this, creating a testing setup, that would help speed things up.
from cloudfront-authorization-at-edge.
I've had this example working with SAML but providing it was the only enabled provider on the user pool client, I was assuming the bug I saw was more to do with having multiple IDPs
from cloudfront-authorization-at-edge.
Which bug did you see @rikkuness ?
from cloudfront-authorization-at-edge.
I was getting an empty 400 response from Cognito itself, it only actually manifests when I enable more than on IDP on the Cognito client. From inspecting the requests the only difference I could see was an additional field on the querystring for identity_provider
but I didn't delve too much deeper.
from cloudfront-authorization-at-edge.
So you did get it working with one SAML IDP @rikkuness . It would be great if you provide some pointers on your setup for @philross88 because he had issues setting it up. Or is the pointer to use only 1 federated IDP (SAML)?
from cloudfront-authorization-at-edge.
Yeah I don't think I did anything funky to get it working with SAML, as long as it's the only IDP on the client it seems to just default to that one and work okay!
from cloudfront-authorization-at-edge.
@philross88 can you give that a shot? Only allow the SAML IDP in your app client federation, not Cognito User Pool?
Then we need to figure out why this would not work for multiple IDP's. I still need to reproduce that though
from cloudfront-authorization-at-edge.
Just want to confirm that I'm seeing the same issue here, and that enabling only the SAML provider works.
I'm using a SAML provider, and a Cognito User Pool.
When trying to login with both providers enabled, only the Cognito user pool works. When attempting to sign in using SAML (clicking the button on the cognito page), I'm redirected to this URL: https://auth-xxxxxxx.auth.us-east-1.amazoncognito.com/oauth2/authorize?identity_provider=MySAMLProvider&(...rest of query strings here)
.
The only difference between this and the URL when using a single provider, is the addition of the identity_provider
parameter in the query string (as noted by @rikkuness above). The rest of the parameters (state, requestUri, etc) all exist as normal. The identity_provider
parameter doesn't appear when enabling only one provider.
Additionally, If I launch the Cognito Hosted UI from the console, with both providers enabled, then I am able to login with SAML provider, but the parseauth
function fails on the callback, because a state
variable isn't passed back in the query string, only a code
parameter.
from cloudfront-authorization-at-edge.
from cloudfront-authorization-at-edge.
I've opened PR #32 with a pretty primitive change that will enable you to use this with multiple identity providers. There might be a cleaner way, but this is currently working for our application.
from cloudfront-authorization-at-edge.
Work around implemented in #32 by @ButkiewiczP
I have filed the original issue to the Cognito team. Closing this issue here now.
from cloudfront-authorization-at-edge.
Related Issues (20)
- CloudFormation did not receive a response from your Custom Resource HOT 19
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) HOT 2
- Refresh issue after token expires HOT 8
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.