User federation not taking place using imported resources

[anartzs]

Describe the bug

I am trying to reestablish user federation with Google and Apple on my iOS app because all the resources of my amplify backend were accidentally deleted several weeks ago. After all the resources have been re-imported, the only thing that doesn't work is the Social Sign in using the app.

I am following these instructions:
https://aws.amazon.com/blogs/mobile/federating-users-using-sign-in-with-apple-and-aws-amplify-for-swift/

Identity federation works correctly when using amplify-js but fails when using amplify-swift

Before all the resources were deleted, identity federation worked correctly, and users could Sign in with their federated accounts.

The error occurs when calling the following function:

try await plugin.federateToIdentityPool(
      withProviderToken: tokenString,
      for: .apple
)

I thought maybe it was due to a federation-related Lambda Function that was deleted during the incident, but I can't find any info on what functions are being called or what is giving me these errors.

In my CloudFront stack several old/deleted resources are still used, and the old, non-existing identity pool is still referenced, but I can't change it, as all the update or modify buttons are disabled, and I don't even know if this has anything to do with my federation problem with amplify-swift

I have followed other issues, such as #3124 but applying the solution given on this issue doesn't give me any result or improvement.

Steps To Reproduce

Steps I used to set up my Amplify Environment on Swift:
1. Setting up the authentication: https://docs.amplify.aws/lib/auth/social/q/platform/ios/
2. Creating the script that takes care of the federation: https://aws.amazon.com/blogs/mobile/federating-users-using-sign-in-with-apple-and-aws-amplify-for-swift/
3. Executing the app on the simulator with verbose log level
4. Clicking the Sign in with Apple button
5. Getting the error described on this issue

Expected behavior

Identity should be federated.

Amplify Framework Version

2.0

Amplify Categories

Auth

Dependency manager

Swift PM

Swift version

4

CLI version

12.3.0

Xcode version

14.3.1

Relevant log output

Amplify.Logging.logLevel = .verbose


Id.swift Starting execution
2023-09-03T12:18:23+0200 info CognitoIdentityClient : [Logging] Request: POST https:443 
 Path: / 
 Host: cognito-identity.eu-central-1.amazonaws.com, 
Content-Length: 869, 
Content-Type: application/x-amz-json-1.1, 
X-Amz-Target: AWSCognitoIdentityService.GetId, 
x-amz-user-agent: aws-sdk-swift/1.0, 
User-Agent: aws-sdk-swift/1.0 api/cognito-identity/1.0 os/iOS/16.4.0 lang/swift/5.8 lib/amplify-swift/2.15.2 
 Optional([])
2023-09-03T12:18:23+0200 info SerialExecutor : [Logging] Creating connection pool for Optional("https://cognito-identity.eu-central-1.amazonaws.com/?")with max connections: 50
2023-09-03T12:18:23+0200 info CRTClientEngine : [Logging] Connection was acquired to: Optional("https://cognito-identity.eu-central-1.amazonaws.com/?")
2023-09-03 12:18:23.957958+0200 MyApp[4125:41280] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/FetchAuthIdentityId.swift Sending event FetchAuthSessionEvent.throwError
2023-09-03 12:18:23.958150+0200 MyApp[4125:40952] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/InformSessionError.swift Starting execution
2023-09-03 12:18:23.958316+0200 MyApp[4125:40952] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/InformSessionError.swift Sending event AuthorizationEvent.receivedSessionError
2023-09-03 12:18:23.962826+0200 MyApp[4125:41279] [AuthenticationAWSCognitoAuthPlugin] Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.federatingToIdentityPool" =         {
        };
        "AuthorizationState.federatingToIdentityPool" =         {
            "FetchSessionState.error" =             {
                error = "AWSCognitoAuthPlugin.FetchSessionError.notAuthorized";
            };
        };
    };
}
2023-09-03 12:18:23.972462+0200 MyApp[4125:41279] [AuthenticationAWSCognitoAuthPlugin] Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.error" =         {
            Error = "AWSCognitoAuthPlugin.AuthenticationError.service(message: \"Session error: notAuthorized\")";
        };
        "AuthorizationState.error" =         {
            Error = "AWSCognitoAuthPlugin.AuthorizationError.sessionError(AWSCognitoAuthPlugin.FetchSessionError.notAuthorized, noCredentials)";
        };
    };
}

### Is this a regression?

No

### Regression additional context

_No response_

### Platforms

iOS

### OS Version

16.4

### Device

IPhone 14

### Specific to simulators

_No response_

### Additional context

_No response_

[phantumcode]

@anartzs Can you verify that the amplifyconfiguration.json is configured correctly? Can you provide the contents of the file with identifiable details redacted? Do you have the correct sign in and signout redirect URI in the Info.plist? Please see the following documentation for reference as well: https://docs.amplify.aws/lib/auth/social/q/platform/ios/

[anartzs]

@phantumcode we don't use the Amplify hosted web UI. Instead we do this with the SignInWithApple and Sign in with Google buttons, but I have checked the Info.plist file and it looks like the one in the docs you sent.

Here you can see the contents of the amplifyconfiguration.json file with sensitive info removed:

{
    "UserAgent": "aws-amplify-cli/2.0",
    "Version": "1.0",
    "api": {
        "plugins": {
            "awsAPIPlugin": {
                "MyApp": {
                    "endpointType": "GraphQL",
                    "endpoint": "https://************.appsync-api.eu-central-1.amazonaws.com/graphql",
                    "region": "eu-central-1",
                    "authorizationType": "API_KEY",
                    "apiKey": "************"
                }
            }
        }
    },
    "auth": {
        "plugins": {
            "awsCognitoAuthPlugin": {
                "UserAgent": "aws-amplify/cli",
                "Version": "0.1.0",
                "IdentityManager": {
                    "Default": {}
                },
                "AppSync": {
                    "Default": {
                        "ApiUrl": "https://************.appsync-api.eu-central-1.amazonaws.com/graphql",
                        "Region": "eu-central-1",
                        "AuthMode": "API_KEY",
                        "ApiKey": "************",
                        "ClientDatabasePrefix": "MyApp_API_KEY"
                    },
                    "MyApp_AWS_IAM": {
                        "ApiUrl": "https://************.appsync-api.eu-central-1.amazonaws.com/graphql",
                        "Region": "eu-central-1",
                        "AuthMode": "AWS_IAM",
                        "ClientDatabasePrefix": "MyApp_AWS_IAM"
                    }
                },
                "CredentialsProvider": {
                    "CognitoIdentity": {
                        "Default": {
                            "PoolId": "eu-central-1:********-****-****-****-************",
                            "Region": "eu-central-1"
                        }
                    }
                },
                "CognitoUserPool": {
                    "Default": {
                        "PoolId": "eu-central-1_******",
                        "AppClientId": "************.",
                        "Region": "eu-central-1"
                    }
                },
                "GoogleSignIn": {
                    "Permissions": "email,profile,openid",
                    "ClientId-WebApp": "*********************.apps.googleusercontent.com"
                },
                "Auth": {
                    "Default": {
                        "OAuth": {
                            "WebDomain": "**************.auth.eu-central-1.amazoncognito.com",
                            "AppClientId": "***********************",
                            "SignInRedirectURI": "https://www.mydomain.es/sso",
                            "SignOutRedirectURI": "https://www.mydomain.es/sso",
                            "Scopes": [
                                "aws.cognito.signin.user.admin",
                                "email",
                                "openid",
                                "phone",
                                "profile"
                            ]
                        },
                        "authenticationFlowType": "USER_SRP_AUTH",
                        "socialProviders": [
                            "GOOGLE",
                            "APPLE"
                        ],
                        "usernameAttributes": [
                            "EMAIL"
                        ],
                        "signupAttributes": [
                            "EMAIL"
                        ],
                        "passwordProtectionSettings": {
                            "passwordPolicyMinLength": 8,
                            "passwordPolicyCharacters": [
                                "REQUIRES_LOWERCASE",
                                "REQUIRES_UPPERCASE",
                                "REQUIRES_NUMBERS"
                            ]
                        },
                        "mfaConfiguration": "OFF",
                        "mfaTypes": [],
                        "verificationMechanisms": [
                            "EMAIL"
                        ]
                    }
                },
                "S3TransferUtility": {
                    "Default": {
                        "Bucket": "****************",
                        "Region": "eu-central-1"
                    }
                }
            }
        }
    },
    "storage": {
        "plugins": {
            "awsS3StoragePlugin": {
                "bucket": "****************",
                "region": "eu-central-1",
                "defaultAccessLevel": "guest"
            }
        }
    }
}

[harsh62]

@anartzs Checking if in your identity pool you have added your providers (similar to the screenshot below)?

If yes, could you share some details about the identity pool setup?

• If the identity providers are added correctly?
• If yes, share more details about the identity? How was the identity setup and what kind of roles/claim mapping it has?

[anartzs]

These are my identity pool configs:

These are my identity providers:

This is the attribute mapping for both identity providers:

I have also tried setting them to Inactive and Default. In the case of the Amazon Cognito User Pool provider, the attribute mapping is set to inactive.

These are the configurations for my app client:

[harsh62]

@anartzs Would you be able to share how this resource was created?

• Manually or using CLI?

Also would you be able to share the complete verbose logs, it would help understand the context.

[anartzs]

I created this resource using the CLI, but as I have mentioned before, all the resources on that Amplify app were accidentally deleted, then recovered (some of them were protected against deletion and others had backups) and re-imported into the app (in this case using amplify import auth).

These are my verbose logs:

2023-09-09 01:00:13.200888+0200 MyApp[9064:1752498] [StarscreamAdapter] websocketDidReceiveMessage: - {"type":"ka"}
2023-09-09 01:00:13.201358+0200 MyApp[9064:1752498] [RealtimeConnectionProvider] Resetting stale connection timer
2023-09-09 01:00:13.201492+0200 MyApp[9064:1752498] [RealtimeConnectionProvider] received keepAlive
2023-09-09 01:00:20.110752+0200 MyApp[9064:1752498] [AuthenticationAWSAuthFederateToIdentityPoolTask] Starting execution
2023-09-09 01:00:20.110972+0200 MyApp[9064:1752498] [AuthenticationAWSAuthTaskHelper] Check if authstate configured
2023-09-09 01:00:20.111156+0200 MyApp[9064:1752498] [AuthenticationAWSAuthTaskHelper] Auth state configured
2023-09-09 01:00:20.111648+0200 MyApp[9064:1752498] [AuthenticationAWSAuthFederateToIdentityPoolTask] Waiting for federation to complete
2023-09-09 01:00:20.111703+0200 MyApp[9064:1752607] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/InitializeFederationToIdentityPool.swift Starting execution
2023-09-09 01:00:20.111823+0200 MyApp[9064:1752607] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/InitializeFederationToIdentityPool.swift Sending event FetchAuthSessionEvent.fetchAuthenticatedIdentityID
2023-09-09 01:00:20.111876+0200 MyApp[9064:1752606] [AuthenticationAWSCognitoAuthPlugin] Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.federatingToIdentityPool" =         {
        };
        "AuthorizationState.federatingToIdentityPool" =         {
            "FetchSessionState.notStarted" =             {
            };
        };
    };
}
2023-09-09 01:00:20.112196+0200 MyApp[9064:1752498] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/FetchAu
2023-09-09 01:00:20.112216+0200 MyApp[9064:1752606] [AuthenticationAWSCognitoAuthPlugin] Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.federatingToIdentityPool" =         {
        };
        "AuthorizationState.federatingToIdentityPool" =         {
            "FetchSessionState.fetchingIdentityID" =             {
            };
        };
    };
}
thIdentityId.swift Starting execution
2023-09-09T01:00:20+0200 info CognitoIdentityClient : [Logging] Request: POST https:443 
 Path: / 
 User-Agent: aws-sdk-swift/1.0 api/cognito-identity/1.0 os/iOS/16.4.0 lang/swift/5.8 lib/amplify-swift/2.15.2, 
Host: cognito-identity.eu-central-1.amazonaws.com, 
X-Amz-Target: AWSCognitoIdentityService.GetId, 
Content-Length: 867, 
Content-Type: application/x-amz-json-1.1, 
x-amz-user-agent: aws-sdk-swift/1.0 
 Optional([])
2023-09-09T01:00:20+0200 info SerialExecutor : [Logging] Creating connection pool for Optional("https://cognito-identity.eu-central-1.amazonaws.com/?")with max connections: 50
2023-09-09T01:00:20+0200 info CRTClientEngine : [Logging] Connection was acquired to: Optional("https://cognito-identity.eu-central-1.amazonaws.com/?")
2023-09-09 01:00:20.376940+0200 MyApp[9064:1752310] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/FetchAuthIdentityId.swift Sending event FetchAuthSessionEvent.throwError
2023-09-09 01:00:20.377286+0200 MyApp[9064:1752498] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/InformSessionError.swift Starting execution
2023-09-09 01:00:20.377434+0200 MyApp[9064:1752498] [AuthenticationAWSCognitoAuthPlugin] AWSCognitoAuthPlugin/InformSessionError.swift Sending event AuthorizationEvent.receivedSessionError
2023-09-09 01:00:20.382611+0200 MyApp[9064:1752607] [AuthenticationAWSCognitoAuthPlugin] Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.federatingToIdentityPool" =         {
        };
        "AuthorizationState.federatingToIdentityPool" =         {
            "FetchSessionState.error" =             {
                error = "AWSCognitoAuthPlugin.FetchSessionError.notAuthorized";
            };
        };
    };
}
2023-09-09 01:00:20.395792+0200 MyApp[9064:1752607] [AuthenticationAWSCognitoAuthPlugin] Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.error" =         {
            Error = "AWSCognitoAuthPlugin.AuthenticationError.service(message: \"Session error: notAuthorized\")";
        };
        "AuthorizationState.error" =         {
            Error = "AWSCognitoAuthPlugin.AuthorizationError.sessionError(AWSCognitoAuthPlugin.FetchSessionError.notAuthorized, noCredentials)";
        };
    };
}

[anartzs]

Any updates on this issue?

[harsh62]

@anartzs Unfortunately I have not been able to repro this issue on my my local environment. I hope you are using Amplify CLI, if yes, would you be able to share diagnosis report with us following this documentation and share the project identifier with us.

This way I can recreate the exact configuration and figure out whats going on.

[anartzs]

@harsh62 here's my project identifier:

Project Identifier: 0b3c11fee77c27d2a25c60c6047bdb82

[harsh62]

@anartzs Thanks for providing the identifier. I will look into recreating the resources and get back to you. Appreciate your patience on this.

[anartzs]

@anartzs Thanks for providing the identifier. I will look into recreating the resources and get back to you. Appreciate your patience on this.

Any updates on this @harsh62?

[atierian]

Hey @anartzs - I'm working on reproducing this and will get back to you with any updates or follow up questions shortly.
Thanks for your patience.

[atierian]

@anartzs we're unable to reproduce this issue. Have you made any progress on your side?

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.