I went quickly through setting up a custom page on AWS Cognition.
However when I go to the corresponding website:
https://**<custom-domain>**.auth.us-east-1.amazoncognito.com/
I get a blank page.
found the answer at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-ux.html
You can view the hosted UI with your customizations by constructing the following URL, with the specifics for your user pool, and typing it into a browser:
https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>
You may have to wait up to one minute to refresh your browser before changes made in the console appear.
note that redirect_uri need to be escaped; e.g. / -> %2
p.s. next error that you encounter might be: invalid_request error on AWS Cognito Custom UI Page
Related
We are experiencing some strange behaviur on a landing page - tracking cookies that were set when user gave consent, are later being rejected when user refreshes the page (!?).
Steps:
(in Firefox / Firefox Dev Edition - because the warning is not visible in e.g. Chrome)
=> [url-removed]
=> "Accept all". At this stage you can see a "_mkto_trk" (Marketo Tracking) cookie via dev tools.
=> Go to the console tab in web dev tools and refresh the page.
Now you should be able to see a warning in the console log saying:
Cookie “_mkto_trk” has been rejected for invalid domain.
You can also see that the previous set _mkto_trk cookie is no longer set.
Expected Results
The expected result is for the cookie to persist after the page refreshes.
Regarding the warning
In the MDN Web Docs it says that:
The invalid cookie domain error is a WebDriver error that occurs when
an illegal attempt was made to set a cookie under a different domain
than that of the current document.
https://developer.mozilla.org/en-US/docs/Web/WebDriver/Errors/InvalidCookieDomain
The current document, the landing page in other words is on a subdomain: blog.example.com
But the cookie is set at ".example.com" which should make it valid for subdomains as well.
What have I tried?
Well I have been looking for answers in order to better understand where the issue is coming from, without any success.
Any help would be much appreciated, and thanks in advance!
P.S. This is my first post, so any hints/tips as to how to make this post better, would also be welcome.
Update
The problem was because of our cookie-script vendor and their trigger for google tag manager - the 'CookieScriptAcceptAll' trigger was not firing.
The solution was to:
scan the page for cookies (via cookie-script.com dashboard) which will populate the cookies categories array with cookie categories
and use the 'CookieScriptCategory-targeting' trigger instead (changes made via google tag manager dashboard).
Note the solution from above is for cases where you use google tag manager to add tags to your site.
Link to cookie-script documentation for info on triggers:
https://support.cookie-script.com/article/20-custom-events
The AWS Cognito Hosted UI page redirects to the following error page after signing up a new user. Everything works fine for login, but the response for sign-up is a 302 redirect to the /error page (shown below). The user actually gets signed up correctly in the Cognito User Pool, but I would like the re-direct to my callback URL to work correctly, rather than displaying this error page.
I have confirmed that I have the correct flows and scopes selected (shown below)
Be sure you are using correct domain name and client id
In our case this happens when you disable the automatic account verification.
After looking at the network errors, it seems it's a cloudfront error and I can only imagine this happens because cloudfront just tries to redirect to a page (confirmation) that's not accessible (because we disabled it), hence the 400 (although a 404 would be better)
A workaround would be to edit the cloudfront, but as it's managed by aws, i am not sure if it's possible.
two options:
either bypass the hosted ui completely and implement the auth page by yourself
enable the automatic account verification
You can go to MFA and Verifications, and set the activation email. This error is due to the fact that something post account creation goes wrong. In my case it was the fact that verification email wasn't set.
I have a web-app built with the AWS Amplify framework. I rely on Cognito Hosted UI w/ identity federation for registration and login. In reviewing the registrations for my app, I noticed that it got 70+ registrations, but of these only 12 went on to create user profiles. I tested creating an account and signing in through each identity provider (Amazon, Google, Facebook) as well as through standard signup with an email and password. I never had any issues.
I started testing more heavily on mobile and eventually I started to encounter the an error. I plugged my mobile device into my laptop, navigated to chrome//:inspect and checked the network tab and JS console. Only when my chosen identity provider required an OTP code, I noted that I was getting invalid_request and invalid_grant errors on after I input the code and continued with sign-in, even though registration seemed to work (I say registration seemed to work because I received AWS credentials in the initial response and amplify-signin-with-hostedUI was set to true in localStorage. Also, when I open the AWS Console and go to Cognito, I can see that I've been added as a user in my User_Pool).
If I refresh the browser at this point, it seems a new request is sent off to /token, but it comes back with a 400 error with the invalid_grant message.
I kept poking around and eventually found something interesting. There are three tabs involved in the login process, and I think this is somehow messing things up. On mobile, when I try to register or login with the Cognito Hosted UI, I am first met with the Federated Identity Provider buttons and email/password page.
First I got to my website (Tab One). Then I click sign-up and the Hosted UI page pops up (Tab Two). I select one of the login methods (Amazon, Google, Facebook, or Email/Password). If the selected method requires no OTP, I'm golden. I'm redirected to my web app and the app works fine. If my selected method requires an OTP, a new tab opens (Tab 3) which asks for the token. At this point, I can see in Chrome devtools that an error occurs on this tab (Tab 3).
After plugging in the OTP code and clicking sign-in, I'm redirected, as expected, back to the my web-app, but this redirect occurs in the original tab (Tab One), however with a query string added to the URL (/?code=). If I click the view tabs button, I see that the Hosted UI tab (Tab Two) is still open and still has the Cognito Hosted UI buttons/username+password page open. Not sure if that's important.
Now on Tab One with my web app, I don't immediately see any errors in Chrome devtools. But I can see that my app is unable to load. If I wait, it just loads and loads forever. If I refresh the page, then at this point I see a new request to /token fire off in the Network Tab of Chrome DevTools and it comes back with the 400 error invalid_grant response.
Has anyone else encountered this issue or found a resolution?
Thanks in advance!
so I am trying to request an authorization code from smartsheet using postman.
I created a new app on my smartsheet with the following url:
app url: https://localhost:3000/
redirect url: https://localhost:3000/callback
so I tried to use the
GET https://app.smartsheet.com/b/authorize
and input my client id, scope, repsonse_type, and state in postman
the result says there is an error and it did not direct me to a page where I am able to allow authorization.
I am expecting something similar to what the website says (http://smartsheet-platform.github.io/api-docs/#access-levels). I am not sure which part I did was wrong, I am wrong home for this volunteer work hence I do not have an appropriate url. I don't know if it's my urls that are causing the problem or there's something else.
thank you guys in advance
If you are building out the Smartsheet OAuth flow you will need to have a hosted environment where you can have requests sent and be able to open a page in a browser to authenticate to the Smartsheet account and select the Allow button to confirm the access token should be created and returned to your application.
For development purposes you can use a service like ngrok to create a publicly available URL for your localhost which will allow you to send and receive the necessary data from Smartsheet in your development environment.
Authorization tokens cannot be generated from the API - you must do them from the website. From the API documentation:
Click the "Account" button in the upper-right corner of the Smartsheet screen, and then click "Personal Settings".
Click the "API Access" tab.
Click the "Generate new access token" button to obtain an access token.
After the user has logged in; I have security on page 1 (homepage) of an Apex application which prevents unauthorized users getting any further. Once the user has logged in, it goes away to an apex authorization group and checks whether their name is in the group. If it isn't, it says...you shall not pass.
However if an authorized user copy's the web address of page 3 (view employee salaries), and gives it to an unauthorized user, they can use it, it redirects them to the login page, they login, and there in to that page!
To get round this as a temporary measure i setup each page to have the same authorization group as on page 1. This works but surely there must be a simpler way to manage this?
E.g. User enters the web address, it redirects them to the login page and once they are logged in it doesnt work as they are not part of the group?
I think I found a solution; there is a something called 'Deep Linking' under the security tab in the Application's properties. I have now checked this to disabled and it always redirects the user back to the homepage.
The correct method is indeed to set up authorization schemes on objects that have to be screened off. In apex 4.2 however (I believe - don't think this was in 4.1) you can go to "application properties > security" and there is an "authorization" section there where you can set up a global authorization scheme.