The AWS Cognito Hosted UI page redirects to the following error page after signing up a new user. Everything works fine for login, but the response for sign-up is a 302 redirect to the /error page (shown below). The user actually gets signed up correctly in the Cognito User Pool, but I would like the re-direct to my callback URL to work correctly, rather than displaying this error page.
I have confirmed that I have the correct flows and scopes selected (shown below)
Be sure you are using correct domain name and client id
In our case this happens when you disable the automatic account verification.
After looking at the network errors, it seems it's a cloudfront error and I can only imagine this happens because cloudfront just tries to redirect to a page (confirmation) that's not accessible (because we disabled it), hence the 400 (although a 404 would be better)
A workaround would be to edit the cloudfront, but as it's managed by aws, i am not sure if it's possible.
two options:
either bypass the hosted ui completely and implement the auth page by yourself
enable the automatic account verification
You can go to MFA and Verifications, and set the activation email. This error is due to the fact that something post account creation goes wrong. In my case it was the fact that verification email wasn't set.
Related
I am new to AWS cognito. I have a requirements to manage users though AWS cognito.
Users can sign themselves up
I am using hosted UI to achieve this.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html
Only admin can confirm user from AWS console.
User is getting created with Unconfirmed status (expected).
Everything works as expected, but at the time of sign up, hosted UI responds with "An error was encountered with the requested page".
I don't want user to be auto approved and hence not invoking pre sign up lambda.
Please find attached image error.
Is there any way I can display custom message like "User is created, please contact admin for user confirmation" ??
Thank you .
The issue is occuring probably because you chose Allow users to sign themselves up and did not chose any verification type - No verification.
Choose Only allow administrators to create users or any verification type to avoid this issue.
I am following this cognito add social auth to add google auth into one of my app for testing. Completed all steps as listed, but when I am testing that using this
https://<your_user_pool_domain>/login?response_type=code&client_id=<your_client_id>&redirect_uri=https://www.example.com , I am getting an error
Error 400: redirect_uri_mismatch
The redirect URI in the request, https://xxxx-xxxx.auth.ap-south-1.amazoncognito.com/oauth2/idpresponse, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit:
initially the redirect uri and callback url in cognito app client settings were different but i changed those, also I tried changing my redirect url to simple https://google.com, but still not working. I did some research regarding the same, found out that it might take some time to reflect the changes in google oauth setings, its been 2 hrs since I have changed the same, should I wait or is there some other work around this.
Also, I setup facebook login following same doc, it is working fine.
please help!
In my experience this mismatch refers to the difference between your constructed URL and the setting in Cognito Pool. In the pool config, the redirect_uri is called Callback URL. Make sure those two have the same URL.
You can set it in Cognito UI here: App Integration > App Client Settings > Sign in and sign out URLs > Callback URL(s)
or you can specify the URL(s) in your code if you are using CDK.
new cognito.UserPoolClient({
oAuth: {
callbackUrls: ['https://www.example.com', '<url2>'],
}
...
}
Finally I got the solution, redirect url in google auth credentials needs to be your **domainName+/oauth2/idpresponse** .
its has something to do with your uri, whether in google cloud or cognito ,double check if the uri entered is a match
I am having trouble logging out of my identityServer under Google login. I can login through Google (external) with no issues but the logout never worked. After clicking on "Logout" I always get a message says "you are now logged out". But when I try to log back in again, I always get right in after clicking on the Googol button. My Chrome's Dev Tool shows that a cookie associated with my Google login left in there regardless if I click on logout.
And if I clear the cookie via Chrome, I will be able to get to the Google login page.
In trying to delete the cookie in my program when logging out, I tried the following code from the AccountController's Logout function. I watched the code got executed in debug mode, but it doesn't make any difference - the cookie is still there after the code gets executed and I am still get right in.
Could anyone tell me what I am missing here? Or is it just impossible to delete cookie from code?
To do an upstream signout the IDP (Google) would have to support the RP-initiated logout spec:
https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
However Google's discovery endpoint (https://accounts.google.com/.well-known/openid-configuration) does not advertise an end_session_endpoint so from that we'd have to conclude that it is not supported by Google.
However you may be able to use prompt=login or max_age={number of seconds} in your authorization_endpoint endpoint request to force interactive authentication again. When you receive the id_token in the callback you can validate that the auth_time claim falls within whatever condition you decide. The end result is that you can insist that users interactively authenticate each time you do a round trip to Google. If auth_time is too far in the past you'd prevent the local session from being established.
I went quickly through setting up a custom page on AWS Cognition.
However when I go to the corresponding website:
https://**<custom-domain>**.auth.us-east-1.amazoncognito.com/
I get a blank page.
found the answer at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-ux.html
You can view the hosted UI with your customizations by constructing the following URL, with the specifics for your user pool, and typing it into a browser:
https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>
You may have to wait up to one minute to refresh your browser before changes made in the console appear.
note that redirect_uri need to be escaped; e.g. / -> %2
p.s. next error that you encounter might be: invalid_request error on AWS Cognito Custom UI Page
I'm writing an Amazon Skill that I want hooked up with a google account via oauth2. In my edit skill page, I configured it with my client id, an authorization url and token url from the oauth playground, and made it an authoritative grant with my secret and authentication scheme of "http basic", which is recommended.
I tested my client id/secret in the oauth playground and it works as I expect it to, but when I go to sign in on the Alexa App, I get a "missing redirect_uri" error. Looking at the link in the popup, it looks like the following:
https://accounts.google.com/o/oauth2/auth?client_id=custom_client_id&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email
Why is it missing the redirect_uri parameter? I can't change it on the skills page, it's set, and I added it to my valid redirect_uri lists on the google console. Anyone else seen this issue before?
An easier version of what jking31cs is saying is to include ?redirect_uri= ...
In your base URL. So if you provide them Oath.com/auth as your authorization URL, instead try Oath.com/auth?redirect_uri=
The redirect URI is constant, so this is a good fix until amazon bothers fixing this. It's only an issue on custom skills.
They've fixed the issue with an update to the Alexa App :D