Lookup idp based on user email #1325

tfreeman82 · 2024-06-06T16:26:56Z

tfreeman82
Jun 6, 2024

I asked this question on the amplify-android repo and it was suggested that I ask the question here too.

Is there any way to lookup which idp is needed for a user based on the domain of their email address without using the hosted web UI?

We currently use the hosted web UI with a field for the corporate id. The user enters their email in this field and, when they press the sign in button, their idp is found and they're redirected to it for final authentication.

We would like to adjust our existing native login screen to handle this same behavior but I've scoured the documentation and can't find any clear way to handle this. Is it possible at all and, if so, can you point me in the right direction?

I've tried getting an instance of the CognitoIdentityProviderClient from Amplify using
val cognitoAuthService = Amplify.Auth.getPlugin("awsCognitoAuthPlugin").escapeHatch as AWSCognitoAuthService val cognitoIdentityProviderClient = cognitoAuthService.cognitoIdentityProviderClient

It appears that the escape hatch provides a way to fetch a list of all idp's associated with our user pool but not a way to query for the idp that matches the domain of the users email.

I've been trying to figure out how the hosted web ui is able to handle this, which is what we currently use, but I haven't had any luck.

ianbotsf · 2024-06-06T21:47:50Z

ianbotsf
Jun 6, 2024
Maintainer

The developers of the AWS SDKs aren't necessarily experts on particular AWS services like Cognito but it appears the operations you're looking for are:

describeUserPoolDomain: Given an input domain it returns an object containing the associated user pool ID
listIdentityProviders: Given a user pool ID it returns the set of associated IdPs

So potentially something like:

suspend fun getIdentityProviders(userDomain: String): Flow<String> {
    // Lookup domain
    val domainResp = cognitoIdentityProviderClient.describeUserPoolDomain {
        domain = userDomain
    }

    // Get user pool ID    
    val domainUserPoolId = domainResp
        .domainDescription
        ?.userPoolId
        ?: error("User pool not found for $userDomain")
    
    // Get identity providers
    return cognitoIdentityProviderClient
        .listIdentityProvidersPaginated { userPoolId = domainUserPoolId }
        .providers
        .map { it.providerName }
}

6 replies

tfreeman82 Jun 11, 2024
Author

I've tried implementing your suggestion but I'm getting a crash.

    suspend fun getIdentityProviders(userDomain: String): Flow<String?> {
        val client= identityProviderClient()
        // Lookup domain
        val domainResp = client?.describeUserPoolDomain(DescribeUserPoolDomainRequest {
            domain = userDomain
        })

        // Get user pool ID
        val domainUserPoolId = domainResp
            ?.domainDescription
            ?.userPoolId
            ?: error("User pool not found for $userDomain")

        // Get identity providers
        return client
            .listIdentityProvidersPaginated { userPoolId = domainUserPoolId }
            .providers()
            .map { it.providerName }
    }

The code is failing on the initial domainResp and returning the following error...
aws.smithy.kotlin.runtime.identity.IdentityProviderException: No identity could be resolved from the chain: CredentialsProviderChain -> EnvironmentCredentialsProvider -> ProfileCredentialsProvider -> StsWebIdentityProvider -> EcsCredentialsProvider -> ImdsCredentialsProvider

lauzadis Jun 11, 2024
Maintainer

You will need to configure AWS credentials. I'm not sure how Amplify exposes credentials and if you can re-use those, but generally they are sourced from environment variables / an AWS config file. You might find reading through our Getting Started pages to be helpful.

tfreeman82 Jun 11, 2024
Author

We have a working version on iOS but our developer found a bug and raised the issue on that side of things. I've implemented the Kotlin equivalent and am getting the same error.

fun identityProviderClient() : CognitoIdentityProviderClient? {
       val cognitoAuthPlugin = Amplify.Auth.getPlugin("awsCognitoAuthPlugin") as AWSCognitoAuthPlugin
       val client = cognitoAuthPlugin.escapeHatch.cognitoIdentityProviderClient
       return client
   }

  suspend fun getIdentityProviderByIdentifier(userPoolId: String, providerName: String) {
        // Initialize the Cognito Identity Provider client
        val cognitoClient = identityProviderClient()

        try {
            // Create the request input
            val request = GetIdentityProviderByIdentifierRequest {
                this.userPoolId = userPoolId
                this.idpIdentifier = providerName
            }

            // Get the identity provider details
            val response: GetIdentityProviderByIdentifierResponse? = cognitoClient?.getIdentityProviderByIdentifier(request)
            println("Identity Provider Details: ${response?.identityProvider}")
        } catch (e: Exception) {
            println("Failed to get identity provider details: ${e.message}")
        } finally {
            // Close the client
            cognitoClient?.close()
        }
    }

I'm reaching the catch block with the error

Failed to get identity provider details: No identity could be resolved from the chain: CredentialsProviderChain -> EnvironmentCredentialsProvider -> ProfileCredentialsProvider -> StsWebIdentityProvider -> EcsCredentialsProvider -> ImdsCredentialsProvider

Is it possible that this SDK could have the same bug as the Swift SDK? You can find that bug report at aws-amplify/amplify-swift#3743 (comment) if it might help.

lauzadis Jun 11, 2024
Maintainer

That error is telling you that the client was not able to find any AWS credentials after checking with those providers. This is not a problem with the AWS SDK for Kotlin. It might be a problem with the amplify-android project's use of the SDK, I would recommend reaching out to them for more help.

tfreeman82 Jun 11, 2024
Author

Thank you! Here's the entire stack trace in case that helps. I'll reach out to the amplify-android team and see if they can help.

aws.smithy.kotlin.runtime.identity.IdentityProviderException: No identity could be resolved from the chain: CredentialsProviderChain -> EnvironmentCredentialsProvider -> ProfileCredentialsProvider -> StsWebIdentityProvider -> EcsCredentialsProvider -> ImdsCredentialsProvider
                                                                                                    	at aws.smithy.kotlin.runtime.identity.IdentityProviderChain$resolve$2$chainException$1.invoke(IdentityProviderChain.kt:37)
                                                                                                    	at aws.smithy.kotlin.runtime.identity.IdentityProviderChain$resolve$2$chainException$1.invoke(IdentityProviderChain.kt:37)
                                                                                                    	at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74)
                                                                                                    	at aws.smithy.kotlin.runtime.identity.IdentityProviderChain$resolve$suspendImpl$$inlined$withSpan$default$1.invokeSuspend(CoroutineContextTraceExt.kt:139)
                                                                                                    	at aws.smithy.kotlin.runtime.identity.IdentityProviderChain$resolve$suspendImpl$$inlined$withSpan$default$1.invoke(Unknown Source:8)
                                                                                                    	at aws.smithy.kotlin.runtime.identity.IdentityProviderChain$resolve$suspendImpl$$inlined$withSpan$default$1.invoke(Unknown Source:4)
                                                                                                    	at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:78)
                                                                                                    	at kotlinx.coroutines.BuildersKt__Builders_commonKt.withContext(Builders.common.kt:167)
                                                                                                    	at kotlinx.coroutines.BuildersKt.withContext(Unknown Source:1)
                                                                                                    	at aws.smithy.kotlin.runtime.identity.IdentityProviderChain.resolve$suspendImpl(IdentityProviderChain.kt:93)
                                                                                                    	at aws.smithy.kotlin.runtime.identity.IdentityProviderChain.resolve(Unknown Source:0)
                                                                                                    	at aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProviderChain.resolve(CredentialsProviderChain.kt:22)
                                                                                                    	at aws.smithy.kotlin.runtime.identity.IdentityProvider$DefaultImpls.resolve$default(IdentityProvider.kt:22)
                                                                                                    	at aws.smithy.kotlin.runtime.auth.awscredentials.CachedCredentialsProvider$resolve$3.invokeSuspend(CachedCredentialsProvider.kt:63)
                                                                                                    	at aws.smithy.kotlin.runtime.auth.awscredentials.CachedCredentialsProvider$resolve$3.invoke(Unknown Source:8)
                                                                                                    	at aws.smithy.kotlin.runtime.auth.awscredentials.CachedCredentialsProvider$resolve$3.invoke(Unknown Source:2)
                                                                                                    	at aws.smithy.kotlin.runtime.util.CachedValue.getOrLoad(CachedValue.kt:80)
                                                                                                    	at aws.smithy.kotlin.runtime.auth.awscredentials.CachedCredentialsProvider.resolve(CachedCredentialsProvider.kt:61)
                                                                                                    	at aws.sdk.kotlin.runtime.auth.credentials.DefaultChainCredentialsProvider.resolve(DefaultChainCredentialsProvider.kt:73)
                                                                                                    	at aws.sdk.kotlin.runtime.auth.credentials.internal.ManagedCredentialsProvider.resolve(Unknown Source:2)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.AuthHandler.call(SdkOperationExecution.kt:281)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.AuthHandler.call(SdkOperationExecution.kt:259)
                                                                                                    	at aws.sdk.kotlin.runtime.http.middleware.AwsRetryHeaderMiddleware.handle(AwsRetryHeaderMiddleware.kt:39)
                                                                                                    	at aws.sdk.kotlin.runtime.http.middleware.AwsRetryHeaderMiddleware.handle(AwsRetryHeaderMiddleware.kt:26)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.DecoratedHandler.call(Middleware.kt:44)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.Phase.handle(Phase.kt:67)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.DecoratedHandler.call(Middleware.kt:44)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware.tryAttempt-BWLJW6A(RetryMiddleware.kt:78)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware.access$tryAttempt-BWLJW6A(RetryMiddleware.kt:31)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware$handle$result$outcome$1$invokeSuspend$$inlined$withSpan$default$1.invokeSuspend(CoroutineContextTraceExt.kt:136)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware$handle$result$outcome$1$invokeSuspend$$inlined$withSpan$default$1.invoke(Unknown Source:8)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware$handle$result$outcome$1$invokeSuspend$$inlined$withSpan$default$1.invoke(Unknown Source:4)
                                                                                                    	at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:78)
2024-06-11 16:56:16.559  7221-7221  AndroidRuntime          com.playmaker.spark                  E  	at kotlinx.coroutines.BuildersKt__Builders_commonKt.withContext(Builders.common.kt:167)
                                                                                                    	at kotlinx.coroutines.BuildersKt.withContext(Unknown Source:1)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware$handle$result$outcome$1.invokeSuspend(RetryMiddleware.kt:134)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware$handle$result$outcome$1.invoke(Unknown Source:8)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware$handle$result$outcome$1.invoke(Unknown Source:2)
                                                                                                    	at aws.smithy.kotlin.runtime.retries.StandardRetryStrategy.doTryLoop(StandardRetryStrategy.kt:60)
                                                                                                    	at aws.smithy.kotlin.runtime.retries.StandardRetryStrategy.retry$suspendImpl(StandardRetryStrategy.kt:40)
                                                                                                    	at aws.smithy.kotlin.runtime.retries.StandardRetryStrategy.retry(Unknown Source:0)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware.handle(RetryMiddleware.kt:46)
                                                                                                    	at aws.smithy.kotlin.runtime.http.middleware.RetryMiddleware.handle(RetryMiddleware.kt:31)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.DecoratedHandler.call(Middleware.kt:44)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.MutateHandler.call(SdkOperationExecution.kt:256)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.MutateHandler.call(SdkOperationExecution.kt:253)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.ModifyRequestMiddleware.handle(ModifyRequest.kt:26)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.DecoratedHandler.call(Middleware.kt:44)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.ModifyRequestMiddleware.handle(ModifyRequest.kt:26)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.DecoratedHandler.call(Middleware.kt:44)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.ModifyRequestMiddleware.handle(ModifyRequest.kt:26)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.DecoratedHandler.call(Middleware.kt:44)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.Phase.handle(Phase.kt:67)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.DecoratedHandler.call(Middleware.kt:44)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.SerializeHandler.call(SdkOperationExecution.kt:249)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.SerializeHandler.call(SdkOperationExecution.kt:231)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.InitializeHandler.call(SdkOperationExecution.kt:228)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.Phase.handle(Phase.kt:63)
                                                                                                    	at aws.smithy.kotlin.runtime.io.middleware.DecoratedHandler.call(Middleware.kt:44)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.OperationHandler.call(SdkOperationExecution.kt:208)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.OperationHandler.call(SdkOperationExecution.kt:200)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.SdkHttpOperationKt$execute$$inlined$withSpan$1.invokeSuspend(CoroutineContextTraceExt.kt:126)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.SdkHttpOperationKt$execute$$inlined$withSpan$1.invoke(Unknown Source:8)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.SdkHttpOperationKt$execute$$inlined$withSpan$1.invoke(Unknown Source:4)
                                                                                                    	at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:78)
                                                                                                    	at kotlinx.coroutines.BuildersKt__Builders_commonKt.withContext(Builders.common.kt:167)
                                                                                                    	at kotlinx.coroutines.BuildersKt.withContext(Unknown Source:1)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.SdkHttpOperationKt.execute(SdkHttpOperation.kt:157)
                                                                                                    	at aws.smithy.kotlin.runtime.http.operation.SdkHttpOperationKt.roundTrip(SdkHttpOperation.kt:84)
                                                                                                    	at aws.sdk.kotlin.services.cognitoidentityprovider.DefaultCognitoIdentityProviderClient.listUsers(DefaultCognitoIdentityProviderClient.kt:2776)
                                                                                                    	at com.playmaker.spark.ui.login.helpers.CognitoController.listAllUsers(CognitoController.kt:299)
                                                                                                    	at com.playmaker.spark.ui.login.helpers.CognitoController.presentSignInWebUI(CognitoController.kt:270)
                                                                                                    	at com.playmaker.spark.ui.login.helpers.CognitoController.signInWithWebUIFederation(CognitoController.kt:263)
                                                                                                    	at com.playmaker.spark.ui.login.LoginDialogFragment$onCreateDialog$1$11$1.invokeSuspend(LoginDialogFragment.kt:145)
2024-06-11 16:56:16.562  7221-7221  AndroidRuntime          com.playmaker.spark                  E  	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                    	at kotlinx.coroutines.internal.DispatchedContinuationKt.resumeCancellableWith(DispatchedContinuation.kt:367)
                                                                                                    	at kotlinx.coroutines.intrinsics.CancellableKt.startCoroutineCancellable(Cancellable.kt:30)
                                                                                                    	at kotlinx.coroutines.intrinsics.CancellableKt.startCoroutineCancellable$default(Cancellable.kt:25)
                                                                                                    	at kotlinx.coroutines.CoroutineStart.invoke(CoroutineStart.kt:110)
                                                                                                    	at kotlinx.coroutines.AbstractCoroutine.start(AbstractCoroutine.kt:126)
                                                                                                    	at kotlinx.coroutines.BuildersKt__Builders_commonKt.launch(Builders.common.kt:56)
                                                                                                    	at kotlinx.coroutines.BuildersKt.launch(Unknown Source:1)
                                                                                                    	at kotlinx.coroutines.BuildersKt__Builders_commonKt.launch$default(Builders.common.kt:47)
                                                                                                    	at kotlinx.coroutines.BuildersKt.launch$default(Unknown Source:1)
                                                                                                    	at com.playmaker.spark.ui.login.LoginDialogFragment.onCreateDialog$lambda$11$lambda$7(LoginDialogFragment.kt:144)
                                                                                                    	at com.playmaker.spark.ui.login.LoginDialogFragment.$r8$lambda$vteJZhE3lAkBK9UU6BKmi1cg3ls(Unknown Source:0)
                                                                                                    	at com.playmaker.spark.ui.login.LoginDialogFragment$$ExternalSyntheticLambda10.onClick(Unknown Source:2)
                                                                                                    	at android.view.View.performClick(View.java:7659)
                                                                                                    	at android.view.View.performClickInternal(View.java:7636)
                                                                                                    	at android.view.View.-$$Nest$mperformClickInternal(Unknown Source:0)
                                                                                                    	at android.view.View$PerformClick.run(View.java:30156)
                                                                                                    	at android.os.Handler.handleCallback(Handler.java:958)
                                                                                                    	at android.os.Handler.dispatchMessage(Handler.java:99)
                                                                                                    	at android.os.Looper.loopOnce(Looper.java:205)
                                                                                                    	at android.os.Looper.loop(Looper.java:294)
                                                                                                    	at android.app.ActivityThread.main(ActivityThread.java:8177)
                                                                                                    	at java.lang.reflect.Method.invoke(Native Method)
                                                                                                    	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:552)
                                                                                                    	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:971)
                                                                                                    	Suppressed: aws.sdk.kotlin.runtime.auth.credentials.ProviderConfigurationException: Missing value for environment variable `AWS_ACCESS_KEY_ID`
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.EnvironmentCredentialsProvider.requireEnv(EnvironmentCredentialsProvider.kt:30)
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.EnvironmentCredentialsProvider.resolve(EnvironmentCredentialsProvider.kt:37)
                                                                                                    		at aws.smithy.kotlin.runtime.identity.IdentityProviderChain$resolve$suspendImpl$$inlined$withSpan$default$1.invokeSuspend(CoroutineContextTraceExt.kt:136)
                                                                                                    		... 95 more
                                                                                                    	Suppressed: aws.sdk.kotlin.runtime.auth.credentials.ProviderConfigurationException: could not find source profile default
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.profile.ProfileChain$Companion.resolve$aws_config(ProfileChain.kt:321)
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.ProfileCredentialsProvider.resolve(ProfileCredentialsProvider.kt:101)
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.ProfileCredentialsProvider$resolve$1.invokeSuspend(Unknown Source:15)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                    		at kotlinx.coroutines.UndispatchedCoroutine.afterResume(CoroutineContext.kt:270)
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46)
                                                                                                    		at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
                                                                                                    		... 8 more
                                                                                                    	Suppressed: aws.sdk.kotlin.runtime.auth.credentials.ProviderConfigurationException: Required field `roleArn` could not be automatically inferred for StsWebIdentityCredentialsProvider. Either explicitly pass a value, set the environment variable `AWS_ROLE_ARN`, or set the JVM system property `aws.roleArn`
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.StsWebIdentityCredentialsProvider$Companion.fromEnvironment-TUY-ock(StsWebIdentityCredentialsProvider.kt:131)
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.StsWebIdentityCredentialsProvider$Companion.fromEnvironment-TUY-ock$default(StsWebIdentityCredentialsProvider.kt:60)
2024-06-11 16:56:16.566  7221-7221  AndroidRuntime          com.playmaker.spark                  E  		at aws.sdk.kotlin.runtime.auth.credentials.StsWebIdentityProvider.resolve(DefaultChainCredentialsProvider.kt:92)
                                                                                                    		at aws.smithy.kotlin.runtime.identity.IdentityProviderChain$resolve$suspendImpl$$inlined$withSpan$default$1.invokeSuspend(CoroutineContextTraceExt.kt:136)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                    		at kotlinx.coroutines.UndispatchedCoroutine.afterResume(CoroutineContext.kt:270)
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46)
                                                                                                    		at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
                                                                                                    		... 8 more
                                                                                                    	Suppressed: aws.sdk.kotlin.runtime.auth.credentials.ProviderConfigurationException: Container credentials URI not set
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.EcsCredentialsProvider.resolve(EcsCredentialsProvider.kt:80)
                                                                                                    		at aws.smithy.kotlin.runtime.identity.IdentityProviderChain$resolve$suspendImpl$$inlined$withSpan$default$1.invokeSuspend(CoroutineContextTraceExt.kt:136)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                    		at kotlinx.coroutines.UndispatchedCoroutine.afterResume(CoroutineContext.kt:270)
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46)
                                                                                                    		at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
                                                                                                    		... 8 more
                                                                                                    	Suppressed: aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProviderException: failed to load instance profile
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.ImdsCredentialsProvider.resolve(ImdsCredentialsProvider.kt:84)
                                                                                                    		at aws.sdk.kotlin.runtime.auth.credentials.ImdsCredentialsProvider$resolve$1.invokeSuspend(Unknown Source:15)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                    		at kotlinx.coroutines.UndispatchedCoroutine.afterResume(CoroutineContext.kt:270)
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46)
                                                                                                    		at kotlinx.coroutines.UndispatchedCoroutine.afterResume(CoroutineContext.kt:270)
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46)
                                                                                                    		at kotlinx.coroutines.UndispatchedCoroutine.afterResume(CoroutineContext.kt:270)
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46)
                                                                                                    		at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
                                                                                                    		... 8 more
                                                                                                    	Caused by: aws.smithy.kotlin.runtime.http.HttpException: java.net.UnknownServiceException: CLEARTEXT communication to 169.254.169.254 not permitted by network security policy
                                                                                                    		at aws.smithy.kotlin.runtime.http.engine.okhttp.OkHttpEngine.roundTrip(OkHttpEngine.kt:158)
                                                                                                    		at aws.smithy.kotlin.runtime.http.engine.okhttp.OkHttpEngine$roundTrip$1.invokeSuspend(Unknown Source:15)
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102) 
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46) 
                                                                                                    		at kotlinx.coroutines.UndispatchedCoroutine.afterResume(CoroutineContext.kt:270) 
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102) 
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46) 
                                                                                                    		at kotlinx.coroutines.UndispatchedCoroutine.afterResume(CoroutineContext.kt:270) 
                                                                                                    		at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:102) 
                                                                                                    		at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46) 
                                                                                                    		at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106) 
                                                                                                    	Caused by: java.net.UnknownServiceException: CLEARTEXT communication to 169.254.169.254 not permitted by network security policy
                                                                                                    		at okhttp3.internal.connection.RealRoutePlanner.planConnectToRoute$okhttp(RealRoutePlanner.kt:195)
                                                                                                    		at okhttp3.internal.connection.RealRoutePlanner.planConnect(RealRoutePlanner.kt:152)
                                                                                                    		at okhttp3.internal.connection.RealRoutePlanner.plan(RealRoutePlanner.kt:67)
                                                                                                    		at okhttp3.internal.connection.FastFallbackExchangeFinder.launchTcpConnect(FastFallbackExchangeFinder.kt:118)
                                                                                                    		at okhttp3.internal.connection.FastFallbackExchangeFinder.find(FastFallbackExchangeFinder.kt:62)
                                                                                                    		at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:267)

tylerjroach · 2024-06-13T15:45:46Z

tylerjroach
Jun 13, 2024

Hi all, I'm on Amplify Android team. I think the core of the issue here, regardless of credential provider used, is that an attempted call is being made to 169.254.169.254 over http instead of https and cleartext traffic is not allowed.

While attempting to replicate the customer issue, I noticed that I could not bypass this issue by setting a custom network security config on the device. This may be a configuration in the OkHttp client created by the AWS Kotlin SDK.

SDK team, can you provide guidance on how to pass a custom OkHttp Client that would allow clear text traffic just to see what other credential issues we need to work against.

I'm not entirely sure what authorization level is required to access https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolDomain.html. While you may not be able to use the default CognitoIdentityProviderClient from the escape hatch, it is relatively easy to build your own one directly from the Kotlin SDK, which allows passing your own custom credentials provider.

8 replies

tylerjroach Jun 13, 2024

@tfreeman82 I had originally made a mistake in having multiple devices launched and in my testing, didn't realize I was testing on the wrong device.

You can create your own client and auth provider with code like this:

// import com.amplifyframework.auth.convertToSdkCredentialsProvider
val customCredentialsProvider = convertToSdkCredentialsProvider(
    object : AWSCredentialsProvider<AWSTemporaryCredentials> {
        override fun fetchAWSCredentials(
            onSuccess: Consumer<AWSTemporaryCredentials>,
            onError: Consumer<AuthException>
        ) {
            Amplify.Auth.fetchAuthSession(
                {
                    val result = (it as? AWSCognitoAuthSession)?.awsCredentialsResult
                    (result?.value as? AWSTemporaryCredentials)?.let { credentials ->
                        onSuccess.accept(credentials)
                    } ?: onError.accept(result?.error ?: UnknownException())
                },
                {
                    onError.accept(it)
                }
            )
        }
    }
)


val client = CognitoIdentityProviderClient {
    region = "us-east-1" // would be best to parse this from amplifyconfiguration if this value ever changes
    this.credentialsProvider = customCredentialsProvider
}

This code then presented me with this error:

aws.sdk.kotlin.services.cognitoidentityprovider.model.CognitoIdentityProviderException: User: arn:aws:sts::xxx:assumed-role/xxx-authRole/CognitoIdentityCredentials is not authorized to perform: cognito-idp:DescribeUserPoolDomain on resource: * because no identity-based policy allows the cognito-idp:DescribeUserPoolDomain action

This indicates that my signed in user does not have the proper role to perform this request. You may need to evaluate what type of credentials are necessary for making this request and how to provide them (ex: custom endpoint).

tfreeman82 Jun 13, 2024
Author

I think I follow but I'm confused as to why it would be working with amplify-swift on iOS using the exact same logic that I added above. Is it possible that there's that big of a difference between dependencies?

tfreeman82 Jun 13, 2024
Author

Ok, I added the provided logic into my method that returns the identity provider client and got a network on main exception on my finally block where I call cognitoClient?.close.

Once I comment that out, it works perfectly! Do I need to close the client and, if so, any thoughts on why I would be getting that exception when these are all in suspend functions run from a coroutine?

suspend fun getIdentityProviderByIdentifier(userPoolId: String, providerName: String) {
        // Initialize the Cognito Identity Provider client
        val cognitoClient = identityProviderClient()

        try {
            // Create the request input
            val request = GetIdentityProviderByIdentifierRequest {
                this.userPoolId = userPoolId
                this.idpIdentifier = providerName
            }

            // Get the identity provider details
            val response: GetIdentityProviderByIdentifierResponse? = cognitoClient?.getIdentityProviderByIdentifier(request)
            println("Identity Provider Details: ${response?.identityProvider}")
        } catch (e: Exception) {
            println("Failed to get identity provider details: ${e.message}")
        } finally {
            // Close the client
            //cognitoClient?.close() <------ HAD TO COMMENT OUT TO GET IT TO WORK
        }
    }

tylerjroach Jun 14, 2024

If you are going to be making this call often, I would suggest lifting the client out of the method so that you are only creating it once for multiple calls. You do not need to call close after each call. I would suggest calling close when you no longer need the client anymore just to clean up resources.

As far as networking on main thread, please make sure you are launching that method on Dispatchers.IO, not Dispatchers.Main. Android doesn't allow networking on the main thread, or blocking the main thread for any other reason.

tfreeman82 Jun 14, 2024
Author

I've wrapped my call to close the identity client in a withContext block on Displatchers.IO and it works perfectly!

I really appreciate all the assistance that you guys have provided me!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Lookup idp based on user email #1325

{{title}}

Replies: 2 comments 14 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Lookup idp based on user email #1325

tfreeman82 Jun 6, 2024

Replies: 2 comments · 14 replies

ianbotsf Jun 6, 2024 Maintainer

tfreeman82 Jun 11, 2024 Author

lauzadis Jun 11, 2024 Maintainer

tfreeman82 Jun 11, 2024 Author

lauzadis Jun 11, 2024 Maintainer

tfreeman82 Jun 11, 2024 Author

tylerjroach Jun 13, 2024

tylerjroach Jun 13, 2024

tfreeman82 Jun 13, 2024 Author

tfreeman82 Jun 13, 2024 Author

tylerjroach Jun 14, 2024

tfreeman82 Jun 14, 2024 Author

tfreeman82
Jun 6, 2024

Replies: 2 comments 14 replies

ianbotsf
Jun 6, 2024
Maintainer

tfreeman82 Jun 11, 2024
Author

lauzadis Jun 11, 2024
Maintainer

tfreeman82 Jun 11, 2024
Author

lauzadis Jun 11, 2024
Maintainer

tfreeman82 Jun 11, 2024
Author

tylerjroach
Jun 13, 2024

tfreeman82 Jun 13, 2024
Author

tfreeman82 Jun 13, 2024
Author

tfreeman82 Jun 14, 2024
Author