Cognito Feedback

[davidgatti]

From the issues created in this repo, the lack of responsiveness from the Cognito team which keep issues not being acknowledged, the state of the code for all the SDKs related to Cognito, and the incoherent mess that this SDK are in, and the private chats that I had with AWS Teach Support I understand the problem that the Cognito service has.

There is nobody responsible for the Cognito project which explains the state of Cognito.

To give you some perspective, when on Github for the Kinesis Video Stream services I mentioned about some issues within 1 day the manager for the project got in touch with me, and called me to have a chat - and the complaint was marginal compared to what's happening with Cognito.

I see that there is no future for Cognito, and from now on, I'll start to transition my clients to a custom solution that I have control over, and what I build will just work.

I'm truly disappointed that nobody at AWS can be held accountable for Cognito, and there is no way for someone from the outside to point to the problem. The consequence of this are reflected in the product itself.

To sum it up, my feature request is this: I hope this level of incompetence won't spread to other AWS services.

[cliffordh]

Can you elaborate what issues you're having with Cognito? I'm quite far down the Cognito path and although it's difficult to work with sometimes, I've found that I can usually get things working the way I want. Auth is hard to do right and re-inventing the wheel sounds like a lot of work with lots of implementation details to get right.

[davidgatti]

Hi @cliffordh,

Sure, check the following Issue #3330, and follow the URL. And this is one thing, then if you check let say the Issue section of this repo for the past 30 days, you'll see an endless stream of issues. From something just not working at all, or something not being implemented following the security guide lines.

I also use AWS Teach Support to figure out issues, and with my private chats with them, I found out that even if you get the oAuth working with 3th party ISPs, the SDK they provide to handle oAuth wont create a valid user session for the main SDK to use. So you "login" but can't use the session for anything - and that is just plain broken.

Their excuse is to just use Amplify. The problem is that Amplify is build on top of the Cognito SDK they have here and this code doesn't work - meaning they building software on top of broken software.

On top of that, the simple function that should log out a user cognitoUser.signOut(); won't clear the browser storage, so if you have two users sharing the same browser, when the 2nd user logs in, the user won't get a valid session since the query to Cognito will fail.

You have to clear the storage yourself with localStorage.clear();

The global log out feature cognitoUser.globalSignOut(); never worked, from the beginning. How more basic than this can you be?

Around I think 6 months I discovered an issue where someone forgot to copy and paste some code in a class, and it took 2 weeks to fight with AWS Teach Support to make them acknowledge the problem is on their side and not mine, thankfully they fixed the issue quickly once they accepted the blame.

Sadly they'll blame you first and you have to spend weeks making videos, screenshots and giving them details to prove they have an issue. It is just exhausting, and basically you test their code, something that should not happen.

And I'm done doing this for free.

I implemented myself countless credentials system with oAuth for every social network out there + SAML 2.0 and SSO. It is not rocket science.

But I liked the idea to use Cognito and not think about this part of a project. But right now, after 1 year, and seeing zero improvement - even worse, discovering more and more issues. I came to the conclusion that sadly this part of a project is to important to rely on others.

Probably this yer I'll make a solution using Lambda, and CloudFormation - do it once and never think about this again.

ps. this issue #2707 is a classic example, where they blame you, confident that you are in the wrong, and then you slap them in the face with prove that the issue is on their side. It's frustrating.

[The-Edge-Malaysia]

I share the same frustration working on Amplify Auth for the past 4 weeks, which I was expecting Cognito to handle our authentication requirement pretty smoothly, as we are just wanting to have federated authentication with google and create user on Cognito user pool.

I am using Vue and there's no many examples, and none on the above that we are trying to achieve.

We have 2 projects running to have user records centralised on Cognito, one is our internal system where all users are using Google gsuite account; and the other is a public facing web site + mobile app that we need user records to be captured, even if user chose to login via google or facebook.

today, I thought I have finally get the amplify auth with google signin to work on our internal system, only to find out just a while ago that users are not created in UserPool, a feature required for both our projects.

I am not sure whether I have the patience to dig around for solution, trying to adapt examples, posted codes, mainly react, to vue to see if it works.

we have been big fan of AWS all these while, but Amplify/Cognito workflow may lead us to seriously consider whether we should continue with AWS or migrate to other cloud provider who may have cleaner auth workflow + decent cloud functionality.

[mlabieniec]

@The-Edge-Malaysia did you use the CLI to bootstrap your project with social providers? If using vue, the docs have some examples here, which i'm assuming you've already seen: https://aws-amplify.github.io/docs/js/vue

But also in terms of using a social provider with amplify we've recently launched some things to greatly simplify this process documented here: https://aws-amplify.github.io/docs/js/authentication#social-provider-setup

Did you see/use those docs when you setup your apps? If you haven't, do you think they help? Otherwise would definitely like to hear feedback on improvements to them.

There is also a blog post here by one of our developer advocates on building a vue app:
https://hackernoon.com/how-to-build-serverless-vue-applications-with-aws-amplify-67d16c79e9d6

If you are using Auth the users should definitely be created in the user pool, and they should be automatically added to a group per IDP. Do you have any code to share that I can take a look at to see some of your setup?

[jkeys-ecg-nmsu]

I think part of the problem is that most people leveraging these libraries are doing so for commercial purposes, so they have little incentive to share what discoveries they make about individual services.

Perhaps the real FR here is documentation littered with samples of various use cases for Cognito.

[The-Edge-Malaysia]

comments below:

@The-Edge-Malaysia did you use the CLI to bootstrap your project with social providers? If using vue, the docs have some examples here, which i'm assuming you've already seen: https://aws-amplify.github.io/docs/js/vue

this does not cover federatedSignIn, I found one pending review branch from @OrozcoJonathan on Vue, and extracted the relevant part, i.e. google sign in button, and it works, unfortunately without adding signed in users to user pool as per your documentation.

But also in terms of using a social provider with amplify we've recently launched some things to greatly simplify this process documented here: https://aws-amplify.github.io/docs/js/authentication#social-provider-setup

Theres no reference to Vue, I did follow the steps, i.e.

amplify init
amplify add auth
Default configuration with Social Provider (Federation)

Did you see/use those docs when you setup your apps? If you haven't, do you think they help? Otherwise would definitely like to hear feedback on improvements to them.

No, the docs does not, @OrozcoJonathan's branch does

There is also a blog post here by one of our developer advocates on building a vue app:
https://hackernoon.com/how-to-build-serverless-vue-applications-with-aws-amplify-67d16c79e9d6

this is without federated signin

If you are using Auth the users should definitely be created in the user pool, and they should be automatically added to a group per IDP. Do you have any code to share that I can take a look at to see some of your setup?

`
const awsmobile = {
"aws_project_region": "ap-southeast-1",
"aws_cognito_identity_pool_id": "ap-southeast-1:XXXXXXXX",
"aws_cognito_region": "ap-southeast-1",
"aws_user_pools_id": "ap-southeast-1XXXXXX",
"aws_user_pools_web_client_id": "XXXXXXXXX",
"oauth": {
"domain": "authXXXXXXXX-dev.auth.ap-southeast-1.amazoncognito.com",
"scope": [
"phone",
"email",
"openid",
"profile",
"aws.cognito.signin.user.admin"
],
"redirectSignIn": "http://localhost:8080/",
"redirectSignOut": "http://localhost:8080/",
"responseType": "code"
},
"federationTarget": "COGNITO_USER_POOLS"
};

export default awsmobile;
`

below is extracted from @OrozcoJonathan 's vueFederatedIdentity branch
federatedSignIn (googleUser) { const { id_token, expires_at } = googleUser.getAuthResponse() const profile = googleUser.getBasicProfile() let user = { email: profile.getEmail(), name: profile.getName(), picture: profile.getImageUrl() } if (!this.$Amplify.Auth || typeof this.$Amplify.Auth.federatedSignIn !== 'function' || typeof this.$Amplify.Auth.currentAuthenticatedUser !== 'function') { throw new Error('No Auth module found, please ensure @aws-amplify/auth is imported') } this.$Amplify.Auth.federatedSignIn('google', { token: id_token, expires_at }, user) .then(credentials => { this.$AmplifyEventBus.$emit('authState', 'signedIn') this.$router.push({ name: 'announcement' }) }) .catch(error => this.logger.error(error)) }

the above does not record new users to userpool

if I use hostedUI, currentAuthenticatedUser() sure to fail the first time after sign in, after a page refresh, then currentAuthenticatedUser() will return desired result

I have also noticed that localStorage's CognitoIdentityServiceProvider.xxxxxx.userData will only registered after page refresh.

[uchar]

@The-Edge-Malaysia did you use the CLI to bootstrap your project with social providers? If using vue, the docs have some examples here, which i'm assuming you've already seen: https://aws-amplify.github.io/docs/js/vue

But also in terms of using a social provider with amplify we've recently launched some things to greatly simplify this process documented here: https://aws-amplify.github.io/docs/js/authentication#social-provider-setup

Did you see/use those docs when you setup your apps? If you haven't, do you think they help? Otherwise would definitely like to hear feedback on improvements to them.

There is also a blog post here by one of our developer advocates on building a vue app:
https://hackernoon.com/how-to-build-serverless-vue-applications-with-aws-amplify-67d16c79e9d6

If you are using Auth the users should definitely be created in the user pool, and they should be automatically added to a group per IDP. Do you have any code to share that I can take a look at to see some of your setup?

Well one of the problem is comments like yours, for every issue, someone just throws this link https://aws-amplify.github.io/docs/js/authentication and close the issue.
look at this and this and many other issues
Well If that link helps and clear enough nobody asks here.
This whole amplify project seems low quality, vague product to me I had many issues with amplify's GraphQL and also Storage library too

[The-Edge-Malaysia]

I have tested the following scenarios 1. Auth with google, then pass the Auth result to federatedSignIn, which amplify documentation mentioned somewhere that user wont be created. But this works for me partly since currentAutenticatedUser not working, but I still can check whether user is authenticated, and get user email from google. 2. Auth via amplify using federatedsignin({ provider: ‘Google’ }), it redirected back to my page after authenticated, but I dont have user email though the user is created in Cognito. In both scenario, if page is manually refreshed then currentAutenticatedUser will return the correct result. But in first scenario, I bypassed amplify and get user email directly from google prior passing result to federatedsignin, that’s why I am able to identify user email upon signin without refresh. The down side is: I don’t have the user registered in Cognito userpool In second scenario, it is disastrous to ask user to refresh manually the page after signed in, in order to proceed. In both scenarios, userData in localstorage created after manual page refresh.

…

On Sat, 22 Jun 2019 at 2:16 PM, Omid ***@***.***> wrote: @The-Edge-Malaysia <https://github.com/The-Edge-Malaysia> did you use the CLI to bootstrap your project with social providers? If using vue, the docs have some examples here, which i'm assuming you've already seen: https://aws-amplify.github.io/docs/js/vue But also in terms of using a social provider with amplify we've recently launched some things to greatly simplify this process documented here: https://aws-amplify.github.io/docs/js/authentication#social-provider-setup Did you see/use those docs when you setup your apps? If you haven't, do you think they help? Otherwise would definitely like to hear feedback on improvements to them. There is also a blog post here by one of our developer advocates on building a vue app: https://hackernoon.com/how-to-build-serverless-vue-applications-with-aws-amplify-67d16c79e9d6 If you are using Auth the users should definitely be created in the user pool, and they should be automatically added to a group per IDP. Do you have any code to share that I can take a look at to see some of your setup? Well one of the problem is comments like yours, for every issue, someone just throws this link https://aws-amplify.github.io/docs/js/authentication#social-provider-setup and close the issue. look at this <#1316> and this <#1521> and many other issues Well If that link helps and is clear nobody asks here. This whole amplify project seems low quality, vague product to me I had many issues with amplify's GraphQL library too — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3495?email_source=notifications&email_token=AE6WG3QXTGDPFY66GHJEGL3P3W7TXA5CNFSM4HZP3UMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYKB6DI#issuecomment-504635149>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AE6WG3US4EX6QVMQV7IWUD3P3W7TXANCNFSM4HZP3UMA> .

[The-Edge-Malaysia]

Hi! Took me a while to dig and found this #1386 Am not sure will this help but definitely I will try later today

…

On Sat, 22 Jun 2019 at 2:49 PM, CY CHIA ***@***.***> wrote: I have tested the following scenarios 1. Auth with google, then pass the Auth result to federatedSignIn, which amplify documentation mentioned somewhere that user wont be created. But this works for me partly since currentAutenticatedUser not working, but I still can check whether user is authenticated, and get user email from google. 2. Auth via amplify using federatedsignin({ provider: ‘Google’ }), it redirected back to my page after authenticated, but I dont have user email though the user is created in Cognito. In both scenario, if page is manually refreshed then currentAutenticatedUser will return the correct result. But in first scenario, I bypassed amplify and get user email directly from google prior passing result to federatedsignin, that’s why I am able to identify user email upon signin without refresh. The down side is: I don’t have the user registered in Cognito userpool In second scenario, it is disastrous to ask user to refresh manually the page after signed in, in order to proceed. In both scenarios, userData in localstorage created after manual page refresh. On Sat, 22 Jun 2019 at 2:16 PM, Omid ***@***.***> wrote: > @The-Edge-Malaysia <https://github.com/The-Edge-Malaysia> did you use > the CLI to bootstrap your project with social providers? If using vue, the > docs have some examples here, which i'm assuming you've already seen: > https://aws-amplify.github.io/docs/js/vue > > But also in terms of using a social provider with amplify we've recently > launched some things to greatly simplify this process documented here: > https://aws-amplify.github.io/docs/js/authentication#social-provider-setup > > Did you see/use those docs when you setup your apps? If you haven't, do > you think they help? Otherwise would definitely like to hear feedback on > improvements to them. > > There is also a blog post here by one of our developer advocates on > building a vue app: > > https://hackernoon.com/how-to-build-serverless-vue-applications-with-aws-amplify-67d16c79e9d6 > > If you are using Auth the users should definitely be created in the user > pool, and they should be automatically added to a group per IDP. Do you > have any code to share that I can take a look at to see some of your setup? > > Well one of the problem is comments like yours, for every issue, someone > just throws this link > https://aws-amplify.github.io/docs/js/authentication#social-provider-setup > and close the issue. > look at this <#1316> and > this <#1521> and many > other issues > Well If that link helps and is clear nobody asks here. > This whole amplify project seems low quality, vague product to me I had > many issues with amplify's GraphQL library too > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#3495?email_source=notifications&email_token=AE6WG3QXTGDPFY66GHJEGL3P3W7TXA5CNFSM4HZP3UMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYKB6DI#issuecomment-504635149>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AE6WG3US4EX6QVMQV7IWUD3P3W7TXANCNFSM4HZP3UMA> > . >

[The-Edge-Malaysia]

I have tried #1386 adopted to Vue but not working for me

[davidgatti]

@cliffordh, and as you can see, there is an issue, a random link is sent out, that dose not solve anything or is even related to the issue, and then silence. The problem is gone :D The lack of responsibility in the Cognito team is on a different level.

[The-Edge-Malaysia]

Hi I managed to get Amplify auth federated sign in work properly in my Vue app. Based on react example, there’s Hub listener that does not appear in Vue documentation do the work I need, ie user auth using google via Cognito, and create an entry in userpool. I can share the codes later as now on mobile

…

On Wed, 3 Jul 2019 at 3:03 AM, David Gatti ***@***.***> wrote: @cliffordh <https://github.com/cliffordh>, and as you can see, there is an issue, a random link is sent out, that dose not solve anything or is even related to the issue, and then silence. The problem is gone :D The lack of responsibility in the Cognito team is on a different level. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3495?email_source=notifications&email_token=AE6WG3SMLLM7XBQNYYTVU7TP5ORARA5CNFSM4HZP3UMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZCH66I#issuecomment-507805561>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AE6WG3WTHG4DUWHHXJPFBM3P5ORARANCNFSM4HZP3UMA> .

[davidgatti]

Mmm undocumented functionality, one of the pillars of Cognito SDKs. And the documentation never to be updated - because treasure hunts are fun.

[The-Edge-Malaysia]

To be precise, amplify-Vue does not mention Hub listener, but in the authentication example in react, uses Hub listener. It took me 6 weeks with countless builds to realized that Hub listener is the one that do the magic! Hub is implemented in amplify core btw

…

On Wed, 3 Jul 2019 at 3:25 PM, David Gatti ***@***.***> wrote: Mmm undocumented functionality, one of the pillars of Cognito SDKs. And the documentation never to be updated - because treasure hunts are fun. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3495?email_source=notifications&email_token=AE6WG3XIKZDUWHBPGI53SM3P5RH7ZA5CNFSM4HZP3UMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZDRHAQ#issuecomment-507974530>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AE6WG3QJG3WIKJTLEB4AAB3P5RH7ZANCNFSM4HZP3UMA> .

[revmischa]

I tried to use the simplest default configuration for setting up Cognito with google federated auth and using react's withAuthenticator. When the user signs in with Google, nothing happens besides the error "Token is not from a supported provider of this identity pool"

I'm starting from scratch using only the simplest default tools and settings provided, and it doesn't even work. It's as if nobody has actually tried this. I reported the issue many months ago but it seems no progress has been made.

I want to like and use Cognito but it is really clearly an unloved part of AWS.

[davidgatti]

@revmischa, yep, and even if you were to fix this issue (there is a way), there will be yet another issue, ingrained with the SDK, that can't be overcome. So you spend weeks, thing you finally got it working, and then the SDK won't create the right session for the main SDK to use 🤣.

Your issue is a miss-configuration with you know the urls, but don't bother with solving that since the oAuth SDK AWS provide dose not create the user session the right way anyway. So... waste of time.

[aldegoeij]

@revmischa had this too, using Gatsby and the HOC, seems like aws-exports.js cannot be read, so ended up using:

import Amplify from "aws-amplify"
import { withAuthenticator } from "aws-amplify-react"
import awsmobile from "./../aws-exports"
let awsmobileMandatorySignIn =
  awsmobile.aws_mandatory_sign_in == "enable" ? true : false

Amplify.configure({
  Auth: {
    // REQUIRED - Amazon Cognito Identity Pool ID,
    identityPoolId: awsmobile.aws_cognito_identity_pool_id,
    // REQUIRED - Amazon Cognito Region
    region: awsmobile.aws_cognito_region,
    // OPTIONAL - Amazon Cognito User Pool ID
    userPoolId: awsmobile.aws_user_pools_id,
    // OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
    userPoolWebClientId: awsmobile.aws_user_pools_web_client_id,
    // OPTIONAL - Enforce user authentication prior to accessing AWS resources or not
    mandatorySignIn: awsmobileMandatorySignIn,
    // OPTIONAL - Configuration for cookie storage
    // cookieStorage: {
    //   // REQUIRED - Cookie domain (only required if cookieStorage is provided)
    //   domain: ".bodycode.app",
    //   // OPTIONAL - Cookie path
    //   path: "/",
    //   // OPTIONAL - Cookie expiration in days
    //   expires: 365,
    //   // OPTIONAL - Cookie secure flag
    //   secure: true,
    // },
  },
})

...

const federated = {
  google_client_id:
    "471zzzzzzzzzzzzzzzzs37f2.apps.googleusercontent.com",
}

export default withAuthenticator(App, {
  includeGreetings: false,   // disable the signout menu bar
  federated: federated,
})

Note that I commented out the cookie stuff as (if I remember correctly) it breaks something with federation

[ghost]

@aldegoeij Were you able to get the Amplify Cognito feature working with Gatsby?

I'm using Gatsby and Amplify Cognito together and started here:
https://github.com/dabit3/gatsby-auth-starter-aws-amplify

I got it working okay, but the aws-amplify version is "1.0.5", the aws-amplify-react version is "1.0.5" and so I decided to update them to the most recent versions ("1.1.33"/2.3.12").

After that, I just had a blank white screen without any errors/warnings. I updated these packages because the out-of-the-box UI looked really old and not like the UI components in the docs:
https://aws-amplify.github.io/media/ui_library

Please let me know if you had a similar issue, or if you know how to resolve.

Finally, I do agree with @davidgatti in that the Cognito stuff is a real pain. I've actually bailed on Cognito for a few projects to go use Auth0 (which I don't like much BTW but is cake) or Passport or some other time-consuming work-around. My eyes bleed from trying to make it work and then I'm very afraid to release it into the wild.

Sorry to the maintainers, I know it is hard work.

I'd love to use Cognito for anything possible but it is very troubling for me every time.

UPDATE:
After testing various aws-amplify-react packages, it appears that any package after [email protected] gives me a blank white screen. The aws-amplify package does seem to be working okay so far as I tested it with [email protected]. So, my next step is to drop the withAuthenticator HOC and go without.

UPDATE #2 LOL:
sorry guys I did make some errors on my end with the aws-amplify & aws-amplify-react packages. I did get it working and so far I cannot claim it is a Cognito bug/issue.

So, my AWS Cognito works fine now. I do agree that I've had many issues with Cognito and a lot of them may be on the AWS Cognito side, but I think most of them come from my own lack of experience.

With that being said, I do not agree with these folks saying there's a level of incompetence because that is simply no true. My issue is that Cognito is TOUGH and troublesome, but then I'm under tight time constraint and I'm doing login/signup + UI + server + DB so I typically run away from Cognito because it is more difficult than other options.

Keep the peace, they're working on it...

[revmischa]

I really would like to use Cognito! But it just feels very unfinished and scary.
Especially I dislike the fact that if I change one small detail of my Cognito pool (such as password min length) in CloudFormation, it will helpfully destroy the user pool and remake it, deleting all users!

[damianesteban]

From the issues created in this repo, the lack of responsiveness from the Cognito team which keep issues not being acknowledged, the state of the code for all the SDKs related to Cognito, and the incoherent mess that this SDK are in, and the private chats that I had with AWS Teach Support I understand the problem that the Cognito service has.

There is nobody responsible for the Cognito project which explains the state of Cognito.

To give you some perspective, when on Github for the Kinesis Video Stream services I mentioned about some issues within 1 day the manager for the project got in touch with me, and called me to have a chat - and the complaint was marginal compared to what's happening with Cognito.

I see that there is no future for Cognito, and from now on, I'll start to transition my clients to a custom solution that I have control over, and what I build will just work.

I'm truly disappointed that nobody at AWS can be held accountable for Cognito, and there is no way for someone from the outside to point to the problem. The consequence of this are reflected in the product itself.

To sum it up, my feature request is this: I hope this level of incompetence won't spread to other AWS services.

We would like to do the same but they make it almost impossible to transition off of the platform unless you want to ask all of your users to create new passwords on a new system. That is the most infuriating part.

[davidgatti]

I really would like to use Cognito! But it just feels very unfinished and scary.
Especially I dislike the fact that if I change one small detail of my Cognito pool (such as password min length) in CloudFormation, it will helpfully destroy the user pool and remake it, deleting all users!

Nice feature :D

[davidgatti]

From the issues created in this repo, the lack of responsiveness from the Cognito team which keep issues not being acknowledged, the state of the code for all the SDKs related to Cognito, and the incoherent mess that this SDK are in, and the private chats that I had with AWS Teach Support I understand the problem that the Cognito service has.
There is nobody responsible for the Cognito project which explains the state of Cognito.
To give you some perspective, when on Github for the Kinesis Video Stream services I mentioned about some issues within 1 day the manager for the project got in touch with me, and called me to have a chat - and the complaint was marginal compared to what's happening with Cognito.
I see that there is no future for Cognito, and from now on, I'll start to transition my clients to a custom solution that I have control over, and what I build will just work.
I'm truly disappointed that nobody at AWS can be held accountable for Cognito, and there is no way for someone from the outside to point to the problem. The consequence of this are reflected in the product itself.
To sum it up, my feature request is this: I hope this level of incompetence won't spread to other AWS services.

We would like to do the same but they make it almost impossible to transition off of the platform unless you want to ask all of your users to create new passwords on a new system. That is the most infuriating part.

In theory you would not have to ask that question. You could do the transition, and send out an email explaining your password was reset (not set at all), or when they log in next time, you tell the user that the account was locked for security reason and they'll get a verification email which will allow when to set the new password.

I believe this is a good flow and secure.

[revmischa]

Someone made this to allow modifying custom attributes without accidentally deleting all of your users https://github.com/michaelduminy/serverless-cognito-add-custom-attributes

[davidgatti]

Nice, one guy for free made it, a billion dollar company with unlimited resources - unable. Nice - this just is to fun :)

[apalumbo]

@damianesteban you can create a new userpool and implement a migrate hook, there you will have the change to migrate the user in the pool on the first login keeping their passwords

@davidgatti this info is already in the docs https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-using-lambda.html

IMHO authentication is a complex thing, cognito is not perfect but if you try something similar (like auth0) with a custom signup or UI it will be hard too.
At least for me auth amplify worked great for the 80% of the auth process (like in the pareto principle) of course we have a bit of experiencies in the oauth stuff for adding the extra 20%

[davidgatti]

As stated in the documentation:

This approach enables seamless migration of users from your existing user directory to user pools when they use your new Amazon Cognito-enabled app for the first time, either during their first sign-in or during the forgot-password process.

So if I understand correctly, your old user pool that got it's user base deleted by a poor AWS implementation won't work, since it seams you need a database of user to move to a new location? Or did I miss something?

[apalumbo]

You don't have to change the conf on your current userpool (i think that most of the things should be readonly after the creation), you need to create a new one with the new configurations and configure the migration trigger on the new one.

We usually work with cloudformation , sdk or cdk so create a new resource is not a problem.

I don't think that cognito or amplify are perfect, but auth is something really serious and risky, IMHO writing it by yourself is not an option (It could be acceptable only if I decide to start a competitor ;-) ) , even running it by yourself (at least for me the GDPR stuff is painful). Cognito is a good alternative to other similar services, and from my point of view it's free (the free tier is 50K monthly active user) and other competitor services like auth0 will cost you a lot if you need things like SAML.
It's not only a username and password login, it's IAM roles, social login, federation, brute force detection, one time password.

If you need more control over cognito you can also use a custom login flow,

[undefobj]

@alexladerman can you open a new issue with your setup details and errors you are seeing so that the team can troubleshoot? If you have a REST API with simple Auth it should be straightforward as outlined here but CORS errors can sometimes represent a setting being misconfigured in API Gateway or a general browser authorization issue.

While it is true the SOA design of Amplify does provide more control and flexibility we are always working hard to make things simple to use for customers and striving towards a seamless experience. In some areas this is the case while in others we have more work to do as meeting the flexibility requests from customers comes with certain tradeoffs, but we'll never stop working on this. If there are specific errors or asks on the Amplify side please do open up a new issue and we'll see how we can answer or prioritize new designs/features and in the meantime any service feedback we'll raise with those teams.

[alexladerman]

@undefobj happy to open new issues about specific problems I can describe accurately.

Here's one https://github.com/aws-amplify/amplify-js/issues/4839

[ddisqq]

Also struggling with an Amplify/Cognito login/signup solution.

I think Amplify can be the end all be all for an out of the box solution for many folks given the right documentation.

I think a big point to note is that the complexity increases further when using a custom domain with or without the hosted UI configuration. Seeing some issues with CNAME, redirect and region configuration, 400's etc.

The documentation would be better well served with a simple happy path with a custom domain in mind(avoid the hosted UI). It currently provides a buffet of options and I am sure its causing users to attempt to mis-mash everything together as I currently have.

Experience so far is to almost avoid the 'amplify add auth' in the CLI as it tends to lock in certain configurations, makes assumptions, and adds complexity rather than just starting from the bottom up.

It attempts to provide a shortcut, but it feels somewhat convoluted when trying to make any modifications.

Frustrations started with the default signup component/hosted UI appearing to be over configured. I.e. asks user for username and email and requires username to be email after a failed registration.

There is a passwordless cognito/lambda example out there with an angular front end. The amplify documentation should short-circuit what it has so far and provide this with a custom domain for all the major front end frameworks.

This is how adoption will rise significantly.

There is still a disconnect in the documentation about simply going from simple a traditional signin/signup flow for a SaaS application. I think the documentation should direct the user down the custom domain path from the start as this is the inevitable use case in pursuit for most users.

[trmaphi]

From my experience over 6 months working with Cognito on a daily basis, I must say Cognito User Pool is really a pain if you start customizing your solution.

Every migration on Cognito User Pool is a process of creating a new pool. It's frustrating that you have to keep your old pool, even it only has 1 user. 😓

[hemmachat]

I am evaluating different identity providers for our company as we need to use single and social sign-on with multiple websites for our customers to be easily use their existing accounts. With ASP.NET Core, Auth0 has a very good documentation and samples for .NET world. I could use their samples with some customisations and be able to see some proof-of-concept within a day.

With Cognito, however it seems to be just a single person who in charge of the .NET documentation and samples in Github. The sample works with Cognito's user pool but when I tried to use social sign-on such as Google, there was nothing there. I found some documentation about setting identity pool but could not find how to make it to work with .NET.

AWS people, please provide some more documentation and sample code, and be more serious about Cognito. I do not understand why I always hear about Cognito, Cognito and Cognito from the ReInvent videos. Identity management is very big and necessary for the enterprise.

[christensen143]

I agree wholeheartedly. I had to create an entire API for user management because you cannot manage your users inside of Cognito. I was on the phone with a support person from Cognito on Friday. He said that this was not a feature that was requested by enough people. I asked him if he had been paying attention to the GitHub issues for Cognito, Amplify, and the Javascript SDK as well as StackOverflow because everyone wants this. I then offered to consult for AWS if they needed someone to give them a hand. I'm to the point where I'm mixing humor with a sharp tongue because facing the reality of the current state of Cognito is horrifying.

[brainstorm]

Here's my "favourite" issue with Cognito, @dabit3 : igvteam/igv#691, detail here: https://github.com/igvteam/igv/pull/691/files#diff-4eb026bcdcbd11039fe8e138f6614363R146

After months of cloudtrail logging, we "discover" that the "enhanced flow" recommended in the official docs, does not support proper audit trails for federated users, thus reverting to the "Classic/Basic flow" :/

/cc @reisingerf @victorskl

[mmatouk]

Hi @christensen143 - I'm a solutions architect with Cognito team.
Can you share some more details about the features or use-case you meant by "user management"? happy to chat if you prefer a quick call.

[ajhool]

@mmatouk there are a lot of issues in this amplify repository where Cognito is the real culprit. Would the cognito team consider opening up an indpendent github repo for the cognito service to solicit community feedback?

[mmatouk]

Hi @ajhool - you can utilize cognito forum for feedback or questions. you need to be logged into your AWS account.

[davidgatti]

@mmatouk love the excuse not to bother about what people voice in other places. If not on Cognito Forum, then the problem dose not exists?

[ajhool]

@mmatouk Ah, the aws forums, I had been wondering where the cognito dev team was! Being that there are currently 1835 unanswered questions on the Cognito forum, I will hold off on overloading it with my own

[maslennikov]

Thank you @davidgatti for addressing this issue so openly. I've been developing my greenfield project with AWS services, and in conjunction with terraform it was an okay-ish experience so far. The only piece that missed was auth. Now all the base development is finished, and I need to pick up an auth solution. Although I'm used to AWS bureaucratic documentation style, something bugged me with all the docs and examples and discussions around Cognito. It just felt wrong. Now I get it. Relieved, and without any more hesitation about having not 100% pure AWS infra, I spinned up a Firebase project and integrated a simple auth to my webapp in about 20 minutes.

[dabit3]

@maslennikov I’m curious which features you are seeing Firebase offer that Cognito does not.

This info will be a big help for the teams to further improve what Cognito offers.

[maslennikov]

@dabit3 for me, Cognito seemed bulky from the very beginning. I have not used it, it was scarry even to begin playing around with. I looked for something with a very small surface of caring about and simple integration into my react frontend and api. Neither Cognito, nor Amplify promised anything of it. Reading this thread just confirmed my gut feeling.

[dabit3]

Ok got it. I would just throw out there that auth / Cognito is the most used used API for Amplify and only takes a couple of minutes to set up.

I would give it a shot as well to make an informed decision and if you then find something that we can improve on let us know.

[jkeys-ecg-nmsu]

@dabit3 one big thing for me is the Cognito console doesn't even provide parity with the CLI. So account administration that typically isn't done by a programmer either (1) falls to a programmer who knows how to interact with the CLI, or (2) requires creating a wrapper interface in your own SPA / website around Cognito for your admins.

Biggest one off the top of my head is inability to update custom attributes / claims for users, but there are others.

Worse, I know for a fact this issue has been raised with the Cognito service team for at least ~6 months.

There doesn't seem to be any urgency to address these complaints, so I can empathize with the complaints here.

(Side note: oauth with Cognito and a PHP server can be a pain, but I think that's generally applicable to all frameworks. Maybe Firebase just holds your hand through oauth more?)

[brainstorm]

@dabit3 Make sure the Cognito docs are publicly pull-requestable on GitHub too, they don't seem to be there last time I checked: igvteam/igv#691 (comment)

[revmischa]

The issues with Cognito and Amplify are quite obvious to anyone who tries to actually use them. If someone from the Cognito team would actually try to use Cognito they would understand the pain points we've experienced.
Try making a signup flow that doesn't require user verification! Try using TypeScript! Try using Amplify with FB or Google auth! Try adding a user attribute with CloudFormation after your user pool has been created! Try to use emails instead of usernames in the user management console!

My suggestion: take an Amazon intern and sit them down and tell them to try building authentication components for various common use cases using Cognito and/or Amplify. Have them report any documentation that is confusing (configuring React with social providers was extremely unclear to me for example), scary things they find (like changing user attributes on an existing pool), error messages, and so on.

[davidgatti]

What @revmischa wrote is the distilled version of this whole discussion.

[wansco]

This is painful to watch. Apparently no one from AWS paying attention. Ordinarily I wouldn't have considered other options, but firebase is looking awfully promising. Cognito and amplify are horribly broken and if AWS needs to ask how/why, then they have already lost the battle. https://xkcd.com/2278/
@revmischa sums it up nicely. Get someone who isn't on the dev team to do just about any cognito/amplify task and I guarantee you'll see what we're talking about on this thread.

[dabit3]

@wansco @revmischa we appreciate this feedback and are indeed working on improvements based on this thread.

[anthonyhumphreys]

I think people can be a little quick to judge and pass comment when there are some dedicated individuals trying their best to take on board our feedback and we should look to ways of facilitating this communication rather than being quite so blunt with the AWS folks, that doesn’t achieve anything.

…

________________________________ From: Nader Dabit <[email protected]> Sent: Wednesday, March 11, 2020 7:09:40 PM To: aws-amplify/amplify-js <[email protected]> Cc: Humphreys, Anthony <[email protected]>; Comment <[email protected]> Subject: [External] Re: [aws-amplify/amplify-js] I'm officially moving away from Cognito - and why you should to. (#3495) This email originated outside the University. Check before clicking links or attachments. @wansco<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwansco&data=02%7C01%7Canthony.humphreys%40lancaster.ac.uk%7C6d2da23ddc0b43bd913108d7c5efc1cc%7C9c9bcd11977a4e9ca9a0bc734090164a%7C1%7C0%7C637195505846556243&sdata=J9ihtvQlU8NRmqpX%2BkLT7LBNqI0DqeysUp%2BB6BJG4Eg%3D&reserved=0> @revmischa<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frevmischa&data=02%7C01%7Canthony.humphreys%40lancaster.ac.uk%7C6d2da23ddc0b43bd913108d7c5efc1cc%7C9c9bcd11977a4e9ca9a0bc734090164a%7C1%7C0%7C637195505846556243&sdata=JWESLw3CXiL8zhHdEjTUOO4bTzopDu2RYu1yO9e4RQk%3D&reserved=0> we appreciate this feedback and are indeed working on improvements based on this thread. — You are receiving this because you commented. Reply to this email directly, view it on GitHub<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faws-amplify%2Famplify-js%2Fissues%2F3495%23issuecomment-597816079&data=02%7C01%7Canthony.humphreys%40lancaster.ac.uk%7C6d2da23ddc0b43bd913108d7c5efc1cc%7C9c9bcd11977a4e9ca9a0bc734090164a%7C1%7C0%7C637195505846566237&sdata=g%2Bh3wCq5H2g3NXHKrpnW4UmuSC74Ez5ALJMPvvsua%2F8%3D&reserved=0>, or unsubscribe<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACP2QUTGOBLDAWESUCUNK7TRG7OXJANCNFSM4HZP3UMA&data=02%7C01%7Canthony.humphreys%40lancaster.ac.uk%7C6d2da23ddc0b43bd913108d7c5efc1cc%7C9c9bcd11977a4e9ca9a0bc734090164a%7C1%7C0%7C637195505846566237&sdata=9UXY7LPPsp6xihRudebSELI1Mo%2FhYPAtMPkTZFVnYVI%3D&reserved=0>.

[wansco]

I don't mean to pile on the devs. This should entirely be blamed on the managers that needed to check a feature box and pushed this out the door. AWS devs, please accept my apologies and hopefully someone up the chain will wake up and expand your team to tackle these issues.

From the outside it just appears that cognito/amplify is woefully under-resourced, which is not my experience in other areas of aws.

[rachitdhall]

Hello, checking in from Amazon Cognito. Let me start by saying we recognize and acknowledge your frustration and we appreciate the continuing feedback you have provided. We understand the reasons you are asking for better documentation, changes to existing functionality or new features. We could have done a better job communicating that in the last few months we have addressed some of the feedback coming from these forums, for example: Sign in with Apple, CloudFormation improvements referenced on earlier in this thread, CloudWatch support, account recovery method prioritization, or supporting case insensitive user names.

We will continue focusing on making documentation clearer and providing better examples for new developers on-boarding to Cognito as well on other improvements that should make it easier to use our platform. We thank you for your continuing patience and we want you to know we are making investments that will improve your experience with Cognito.

As this thread is getting fractured with multiple, distinct, pieces of feedback, we will be closing the issue, but we encourage you to open new issues with additional feedback. We will continue to listen to different feedback channels, such as from this community, for our roadmap prioritization.

Rachit Dhall,
Amazon Cognito