Comments (9)
Well mate...
I was so focus to make it work along this stack i did not though of that.
So in that case both Cognito login & IDP login skip the parse auth lambda (and won't use the Auth-At-edge state generated by the check-auth).
Thanks for your quick reply. It worked (for the few test i just did).
Well i still need to do lot more test to see how it behave with the rest of the stack (refresh token and all). On top of that i would want to reduce the number of cookie amplify is returning, will try to modify a bit the behavior on that sens.
And need to try if i can redirect directly to my home instead of my login to avoid useless load + redirect after auth.
Will get back to you on Monday with my differents findings.
Thanks again ! you already made my weekend ❤️
from cloudfront-authorization-at-edge.
Great question! Very interesting to read what you're up to.
So, matching AmplifyAuth.federatedSignIn
with the parseAuth
of this solution here does not work because they do state differently.
I think it's easiest to also handle the redirect from Cognito with Amplify (not parseAuth
).
So make sure to use as redirectUri the unprotected piece of your site where you have Amplify running. Don't use /parseauth
as redirect URI as it would trigger parseAuth.
Let Amplify automatically handle the redirect as it will, get JWTs and set them in cookies, that should work with Auth@Edge too from that moment on. That's the compatibility we intent: the cookies with the JWTs are recognized by Amplify as well as Auth@Edge, irregardless of whether they were set by Amplify or Auth@Edge.
Haven't tried this though so it's unproven. Let me know what you run into.
from cloudfront-authorization-at-edge.
nb : I was already checking how to inject the auth-at-edge state in the amplify call. And then in the Edge get it back and transform it back in the correct format -_- So i'm avoiding quite a lot with this
from cloudfront-authorization-at-edge.
Okay let's see! You're welcome and I hope this is a good path forward for you 👍🏻👍🏻
from cloudfront-authorization-at-edge.
Hello @ottokruse !
Sorry to come back this late i had to prioritize other subjects.
During my test about the refresh token flow i notice something.
By default amplify generate cookie with a dot before the domain ".mycookiedomain" Reading about it, it's suppose to be a standard.
But when the refresh flow happens instead of replacing existing Amplify cookie. I got new ones without the dot for the domain. And the Expire max age as well goes to session (as mention in the blog).
The thing is that duplicating the already numberous cookies is problematic (too heavy request, waf rules etc.)
My solution is to force the domain directly in the cookieSetting
"cookieSettings": {
"idToken": "Secure; HttpOnly; SameSite=Lax; Path=/; Domain=.mywebsite.com",
"refreshToken": "Secure; HttpOnly; SameSite=Lax; Path=/; Domain=.mywebsite.com",
"nonce": "Secure; HttpOnly; Max-Age=300; SameSite=Lax; Path=/; Domain=.mywebsite.com"
},
That works. But again weird. Did i missunderstood some configuration or those process aren't compatible with amplify (that force the dot for the cookie domain).
Another thing i'm struggling with is the current signOut process. It seems it only cleans the ID Token. So in case you signOut with a user then reconnect with another one etc. You duplicate all the others amplify cookies because the cookie got the username in his name.
So now trying to update the signOut process to clean everything. Would love to be able to rename amplify cookie but not possible i would say...
from cloudfront-authorization-at-edge.
Hi @AzaxSyndrom
By default amplify generate cookie with a dot before the domain ".mycookiedomain" Reading about it, it's suppose to be a standard.
Actually it is better to not use the leading dot, because that makes cookies readable by subdomains too.
To get Amplify to work with that and prevent the double cookies that you see, use a single space " "
as the Amplify cookieStorage domain setting:
Amplify.configure({
Auth: {
...,
cookieStorage: {
domain: " ", // Use a single space " " for host-only cookies
...
},
},
});
Read the comment here for more details: https://github.com/aws-samples/cloudfront-authorization-at-edge/blob/996a07f6bee12b4b62503ac763d5465ee0a06a1c/src/cfn-custom-resources/react-app/index.ts#L64C23-L64C23
from cloudfront-authorization-at-edge.
About the signOut only clearing ID token, it should clear all cookies actually so we need to dig in.
The reason this probably happens is because you cannot explicitly delete cookies, only overwrite them with an empty value and expiry set (then browser understands it must discard it). However, overwrite like that only works if you use the exact same cookie settings as you did when you initially set the cookies. So e.g. exact same path, domain, etc. Have a look if that is the case for you? Note that this PR did fix an issue like this: #207 So make sure you are on a version of Auth@Edge that includes that fix (v2.1.2 onwards)
from cloudfront-authorization-at-edge.
Hi
getting back to you about those signOut cookies and the cookieDomain. It all works
With the latest version of amplify the clearing cookie problem is gone.
We have a working solution.
Thanks again !
from cloudfront-authorization-at-edge.
Nice! 🎉
from cloudfront-authorization-at-edge.
Related Issues (20)
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 4
- Question: redirecting after download from S3 HOT 2
- 'JavaScript heap out of memory' when running npm run build HOT 4
- Sign in, signout and then sign in again gets stuck at parse auth HOT 4
- Access denied from static S3 website after successful login HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.