Implicit flow and Hosted UI - URI is not being parsed properly after first time login

[jiristanglica]

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

After a user is created and logs in for the first time, using the temporary password, and sets up the new password and fills in the required attributes, then the user is redirected back to the app (to the redirect_uri). However the uri is appended with some querystring which causes the amplify library to fail parsing the uri to get the token information which are located behind the # sign in the uri. The only solution is to either manually remove the querystring or login again using the Hosted UI.

1. Use the Implicit flow grant with Cognito Hosted UI and a Javascript client app
2. Create a user in the user pool
3. Sign in for the first time as the user using Hosted UI - fill in a new password and required attributes
4. Get redirected back to the Javascript app.
5. The uri now looks like this:

http://example.com/authenticated/
?CognitoCloudFrontEndpoint=https%3A%2F%2Fd3oia8etllorh5.cloudfront.net
&CognitoCloudFrontVersion=20171117230139
&CustomerCloudFrontEndpoint=d3oia8etllorh5.cloudfront.net
&CustomerCloudFrontVersion=20180709110527
#id_token=eyJraWQiO...Z8BGuw
&access_token=eyJraWQ...ESskdA
&expires_in=3600
&token_type=Bearer

The CognitoCloudFrontEndpoint and CognitoCloudFrontVersion and others are added extra as opposed to the scenario when you already have a valid user and just log in. If you log in again, the uri looks like this:

http://example.com/authenticated/
#id_token=eyJraWQ...c9E6v_A
&access_token=eyJraWQ...UhEBQ
&expires_in=3600
&token_type=Bearer

Notice that there is no querystring (anything that would begin with the ? sign).

Now the failing part of the code is in the file Auth.ts:176 where the uri check is being performed. This then utilizes the amazon-cognito-auth-js module, more specifically the CognitoAuth.js:265 file and linked method. That checks for the uri pattern and when it finds the ? sign, it assumes the authorization flow is Authorization code. Which it is not, so it fails to parse the uri properly.

What is the expected behavior?

The uri gets properly parsed even though it contains some querystring. The code should not only check for the presence of the ? sign, but also other required parameters for the Authorization code grant flow.

Which versions of Amplify, and which browser / OS are affected by this issue? Did this work in previous versions?

I'm using latest Chrome (Version 67.0.3396.99 (Official Build) (64-bit)) on Mac and latest Amplify version from npm (1.0.2).

PS: This is probably more more of a bug in the amazon-cognito-auth-js module, but since I'm using Amplify which uses the provided library as a dependency, I think the issue belongs here. If not, I'm happy to create one for the amazon-cognito-auth-js repo as well, so please let me know. Thank you!

[jiristanglica]

Okay so I tried this again today, repeating the exact steps as on Friday when I posted this issue, and it works fine now. After redirection from the Hosted UI, the querystring is not there any more and so the uri is parsed correctly. Have there been some adjustments made on the Cognito side?

[powerful23]

Closing this issue. Feel free to reopen if you still have this issue.

[undefobj]

Hello everyone, we have created an RFC for feature work that should make the challenges found in this issue easier in the future. If you have a moment please read through the details and add any comments: #2716

Your feedback in the RFC will help us ensure that we are delivering the best experience possible. Thank you.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.