Getting signed out while trying to sign in via Azure AD

[simha453]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

Older than v5

Amplify Categories

auth

Backend

None

Environment information

# Put output below this line
System:
    OS: Windows 10 10.0.19045
    CPU: (4) x64 Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz
    Memory: 8.20 GB / 15.89 GB
  Binaries:
    Node: 14.20.1 - C:\Program Files\nodejs\node.EXE     
    npm: 6.14.17 - C:\Program Files\nodejs\npm.CMD       
  Browsers:
    Edge: Chromium (121.0.2277.98)
    Internet Explorer: 11.0.19041.3636
  npmPackages:
    @azure/msal-browser: ^2.36.0 => 2.36.0
    @azure/msal-react: ^1.5.6 => 1.5.6
    @chakra-ui/cli: ^1.3.0 => 1.7.0
    @chakra-ui/react: ^1.6.0 => 1.7.4
    @deepstream/client: ^6.0.5 => 6.0.5
    @emotion/react: ^11.1.5 => 11.7.1
    @emotion/styled: ^11.3.0 => 11.6.0
    @fontsource/open-sans: ^4.2.2 => 4.5.2
    @fontsource/roboto: ^4.2.3 => 4.5.1
    @react-leaflet/core: ^1.0.2 => 1.0.2
    @syncfusion/ej2-react-gantt: ^19.4.56 => 19.4.56
    @syncfusion/ej2-react-grids: ^19.4.56 => 19.4.56
    @testing-library/jest-dom: ^5.12.0 => 5.16.1
    @testing-library/react: ^10.4.9 => 10.4.9
    @testing-library/user-event: ^12.8.3 => 12.8.3
    @types/react-select: ^4.0.15 => 4.0.18
    @typescript-eslint/eslint-plugin: ^5.33.0 => 5.33.0 (1.6.0, 4.33.0)
    @typescript-eslint/parser: ^5.33.0 => 5.33.0 (1.6.0, 4.33.0)
    ag-grid-base-icons:  1.0.0
    ag-grid-community: ^26.2.1 => 26.2.1
    ag-grid-enterprise: ^26.2.1 => 26.2.1
    ag-grid-react: ^26.2.0 => 26.2.0
    aws-amplify: ^4.2.9 => 4.3.12
    aws-sdk: ^2.893.0 => 2.1060.0
    axios: ^0.21.1 => 0.21.4
    connected-react-router: ^6.9.1 => 6.9.2
    crypto-js: ^4.0.0 => 4.1.1
    date-fns: ^2.21.1 => 2.28.0
    dotenv: ^8.2.0 => 8.6.0 (6.2.0, 8.2.0)
    eslint: ^8.21.0 => 8.21.0 (5.16.0, 7.32.0)
    eslint-config-airbnb: ^19.0.4 => 19.0.4
    eslint-config-prettier: ^8.5.0 => 8.5.0
    eslint-config-react-app: ^7.0.1 => 7.0.1 (4.0.1, 6.0.0)
    eslint-config-standard: ^17.0.0 => 17.0.0
    eslint-plugin-import: ^2.26.0 => 2.26.0 (2.16.0)
    eslint-plugin-n: ^15.2.4 => 15.2.4
    eslint-plugin-prettier: ^4.0.0 => 4.2.1
    eslint-plugin-promise: ^6.0.0 => 6.0.0
    eslint-plugin-react: ^7.30.1 => 7.30.1 (7.12.4)
    eslint-plugin-react-hooks: ^4.6.0-next-be229c565-20220613 => 4.6.0 (1.7.0)
    export-from-json: ^1.4.0 => 1.5.1
    face-api.js: ^0.22.2 => 0.22.2
    framer-motion: ^4.1.9 => 4.1.17
    frappe-gantt-react: ^0.2.2 => 0.2.2
    fusioncharts: ^3.17.0 => 3.18.0
    history: ^4.10.1 => 4.10.1
    html-to-image: ^1.11.11 => 1.11.11
    html2canvas: ^1.4.1 => 1.4.1
    husky: ^8.0.0 => 8.0.1
    js-xlsx-map: ^0.10.3 => 0.10.3
    jspdf: ^2.5.1 => 2.5.1
    leaflet: ^1.9.1 => 1.9.1
    lint-staged: ^11.0.0 => 11.2.6
    lodash: ^4.17.21 => 4.17.21
    memo-parser:  undefined (0.2.0)
    moment: ^2.29.1 => 2.29.1
    node-sass: ^5.0.0 => 5.0.0
    object-hash: ^3.0.0 => 3.0.0 (1.3.1)
    prettier: ^2.6.2 => 2.7.1
    pubnub: ^4.32.0 => 4.37.0
    pubnub-react: ^2.1.0 => 2.1.1
    qrcode.react: ^1.0.1 => 1.0.1
    react: ^17.0.2 => 17.0.2 (16.14.0)
    react-big-calendar: ^0.33.3 => 0.33.6
    react-countdown-clock: ^2.8.1 => 2.9.0
    react-data-export: ^0.6.0 => 0.6.0
    react-datepicker: ^4.1.0 => 4.6.0
    react-dom: ^17.0.2 => 17.0.2 (16.14.0)
    react-dropzone: ^11.3.4 => 11.5.1
    react-error-overlay: ^6.0.9 => 6.0.9
    react-event-timeline: ^1.6.3 => 1.6.3
    react-fusioncharts: ^3.1.2 => 3.1.2
    react-ga: ^3.3.0 => 3.3.0
    react-global-configuration: ^1.4.1 => 1.4.1
    react-google-maps: ^9.4.5 => 9.4.5
    react-gtm-module: ^2.0.11 => 2.0.11
    react-hook-form: ^7.3.4 => 7.24.2
    react-icons: ^4.6.0 => 4.6.0
    react-json-to-table: ^0.1.7 => 0.1.7
    react-keyboard-event-handler: ^1.5.4 => 1.5.4
    react-leaflet: ^3.1.0 => 3.1.0
    react-lodash: ^0.1.2 => 0.1.2
    react-mentions: ^4.3.0 => 4.3.1
    react-modern-calendar-datepicker: ^3.1.6 => 3.1.6
    react-moment: ^1.1.1 => 1.1.1
    react-phone-input-2: ^2.14.0 => 2.14.0
    react-query: ^3.13.12 => 3.34.8
    react-redux: ^7.2.4 => 7.2.6
    react-responsive-masonry: ^2.1.3 => 2.1.4
    react-router-dom: ^5.2.0 => 5.3.0
    react-scripts: ^4.0.3 => 4.0.3 (3.0.0)
    react-scrollbars-custom: ^4.0.25 => 4.0.27
    react-select: ^4.3.1 => 4.3.1
    react-select-async-paginate: ^0.6.0 => 0.6.1
    react-sound: ^1.2.0 => 1.2.0
    react-spinners: ^0.10.6 => 0.10.6
    react-tappable: ^1.0.4 => 1.0.4
    react-to-print: ^2.14.7 => 2.14.7
    react-toastify: ^9.0.1 => 9.0.1
    react-use: ^17.2.4 => 17.3.2
    redux: ^4.1.0 => 4.1.2
    redux-query: ^3.4.2 => 3.4.2
    use-deep-compare-effect: ^1.8.1 => 1.8.1
    uuidv4: ^6.2.7 => 6.2.12
    web-vitals: ^0.2.4 => 0.2.4
    xlsx: ^0.18.2 => 0.18.2

Describe the bug

Upon attempting to "login using Outlook" in Cognito, users encounter an unexpected logout screen instead of being redirected to the login page of Outlook. This issue arises specifically after logging out from the application, not from the Outlook platform itself.

Expected behavior

It should go to login page of outlook azureAD

Reproduction steps

Code Snippet

// Put your code below this line.
import { Amplify, Auth, Hub } from 'aws-amplify'
const awsConfig = {
		Auth: {
			identityPoolId: `${process.env.REACT_APP_AD_IDENTITY_POOL_ID}`,
			region: `${process.env.REACT_APP_AWS_REGION}`,
			userPoolId: `${process.env.REACT_APP_AD_USER_POOL_ID}`,
			userPoolWebClientId: `${process.env.REACT_APP_AZURE_AD_WEB_NO_SECRETE_CLIENT_ID}`,
			oauth: {
				domain: `${process.env.REACT_APP_AD_DOMAIN_NAME}`,
				scope: ['email', 'openid'],
				redirectSignIn: isLocalhost()
					? 'http://localhost:3000/login'
					: process.env.REACT_APP_REDIRECT_SIGNIN_URL,
				redirectSignOut: isLocalhost()
					? 'http://localhost:3000/login'
					: process.env.REACT_APP_REDIRECT_SIGNOUT_URL,
				responseType: `${process.env.REACT_APP_AD_RESPONSE_TYPE}`,
				label: 'Log in with your company SSO',
				clientId: `${process.env.REACT_APP_AZURE_AD_WEB_NO_SECRETE_CLIENT_ID}`,
			},
		},
		Analytics: {
			disabled: true,
		},
	}
	Amplify.configure({ ...awsConfig, ssr: true })

	const onSetOTPAwsConfig = async ({ idToken }) => {
		// Set the region where your identity pool exists (us-east-1, eu-west-1)
		AWS.config.region = process.env.REACT_APP_AWS_REGION
		// Configure the credentials provider to use your identity pool
		AWS.config.credentials = new AWS.CognitoIdentityCredentials({
			IdentityPoolId: process.env.REACT_APP_AD_IDENTITY_POOL_ID,
			Logins: {
				[`cognito-idp.ap-south-1.amazonaws.com/${process.env.REACT_APP_AD_USER_POOL_ID}`]:
					idToken.jwtToken,
			},
		})
	}

We are calling 	Auth.federatedSignIn({ provider: 'AzureAD' }) once button is clicked

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[nadetastic]

Hi @simha453 thank you for opening this issue. I'd like to clarify what you are experiencing - is this happening when:

1. User signs out through - Auth.signOut()
2. User tries to sign back in through - Auth.federatedSignIn({ provider: 'AzureAD' })
3. They see the screenshot you shared above

Did i understand correctly?

[simha453]

The scenario is,
When the user tries to login first time, it works perfectly fine.
But, when the user closes the tab or logout, and tries to login again by opening the new tab, user get this error page. Again the user has to close the tab and have to login again

[simha453]

Hi @simha453 thank you for opening this issue. I'd like to clarify what you are experiencing - is this happening when:

1. User signs out through - Auth.signOut()
2. User tries to sign back in through - Auth.federatedSignIn({ provider: 'AzureAD' })
3. They see the screenshot you shared above

Did i understand correctly?
The scenario is,
When the user tries to login first time, it works perfectly fine.
But, when the user closes the tab or logout, and tries to login again by opening the new tab, user get this error page. Again the user has to close the tab and have to login again

[nadetastic]

@simha453 thanks for the clarification - it looks like the issue is on the Azure side where it looks like its processing a sign out rather than a sign in. Are you able to reproduce this without using Amplify? Specifically if you go to Cognito Hosted UI and try to login from there instead.

[simha453]

We tried Cognito Hosted UI it's logging in perfectly. Sign-out page is not coming

[simha453]

Any update on this ticket?.

[simha453]

Looking for your reply, any update on this ticket

[nadetastic]

Hi @simha453 after looking at this a bit more, Im a bit curious on how you are using the function you have defined as onSetOTPAwsConfig(). From looking at it, it looks like it handling the identity pool credentials which may be causing a conflict with what Amplify does for you under the hood.

Can you clarify what it does, and possibly remove it and see if you still experience this issue/

[simha453]

Here i am mentioning complete code and use of onSetOTPAwsConfig() , and i have removed and tested getting same error.

const [isError, setIsError] = useState(null)
	const [view, setView] = useState(EMAIL_FORM_VIEW.EMAIL_VIEW)
	const { mutate, isLoading } = useLoadOrganizationList()

	const { dispatch } = useAuthContext()

	const awsConfig = {
		Auth: {
			identityPoolId: `${process.env.REACT_APP_AD_IDENTITY_POOL_ID}`,
			region: `${process.env.REACT_APP_AWS_REGION}`,
			userPoolId: `${process.env.REACT_APP_AD_USER_POOL_ID}`,
			userPoolWebClientId: `${process.env.REACT_APP_AZURE_AD_WEB_NO_SECRETE_CLIENT_ID}`,
			oauth: {
				domain: `${process.env.REACT_APP_AD_DOMAIN_NAME}`,
				scope: ['email', 'openid'],
				redirectSignIn: isLocalhost()
					? 'http://localhost:3000/login'
					: process.env.REACT_APP_REDIRECT_SIGNIN_URL,
				redirectSignOut: isLocalhost()
					? 'http://localhost:3000/login'
					: process.env.REACT_APP_REDIRECT_SIGNOUT_URL,
				responseType: `${process.env.REACT_APP_AD_RESPONSE_TYPE}`,
				label: 'Log in with your company SSO',
				clientId: `${process.env.REACT_APP_AZURE_AD_WEB_NO_SECRETE_CLIENT_ID}`,
			},
		},
		Analytics: {
			disabled: true,
		},
	}
	Amplify.configure({ ...awsConfig, ssr: true })

	const onSetOTPAwsConfig = async ({ idToken }) => {
		// Set the region where your identity pool exists (us-east-1, eu-west-1)
		AWS.config.region = process.env.REACT_APP_AWS_REGION
		// Configure the credentials provider to use your identity pool
		AWS.config.credentials = new AWS.CognitoIdentityCredentials({
			IdentityPoolId: process.env.REACT_APP_AD_IDENTITY_POOL_ID,
			Logins: {
				[`cognito-idp.ap-south-1.amazonaws.com/${process.env.REACT_APP_AD_USER_POOL_ID}`]:
					idToken.jwtToken,
			},
		})
	}

	const getUser = async () => {
		const { signInUserSession } = await Auth.currentAuthenticatedUser()
		console.log({ signInUserSession })
		if (signInUserSession?.idToken?.payload?.email) {
			sessionStorage.setItem(AUTH_SESSION_CHECK, true)
			sessionStorage.setItem(
				AUTH_SESSION_DATA,
				JSON.stringify(signInUserSession)
			)
			dispatch({
				type: loginConst.LOGIN,
				payload: signInUserSession,
			})
			setIsError(null)
			onValidationSuccess()
		} else {
			setIsError('Login Error')
		}
	}

	useEffect(() => {
		Hub.listen('auth', async ({ payload: { event, data } }) => {
			switch (event) {
				case 'signIn':
				case 'cognitoHostedUI':
					await onSetOTPAwsConfig(data.signInUserSession)
					await getUser()
					break
				case 'signOut':
					await Auth.signOut()
					break
				case 'signIn_failure':
				case 'cognitoHostedUI_failure':
					console.log('Sign in failure', data)
					break
				default:
					break
			}
		})
		
	}, [])
	```

[sumitsahoo]

@nadetastic It is really a pain that AWS Amplify does not support Azure AD out of the box and we have to do workarounds. We are also implementing our company SSO and with v6 there has been a lot of change in APIs but no proper documentation.

BTW, Do we know how to avoid hosted UI? Also if I have only one login option i.e. via Azure AD, Can I skip hosted UI and directly redirect to MS login?

Resolved for me with #13119

[simha453]

Any update on this ticket?

[simha453]

Any update on this?

[cwomack]

@simha453 I'm not sure what you're trying to do with the sessionStorage part of your code, but that getUser() function may be messing with how Amplify is handling things out of the box. Similar to how you tried commenting out onSetOTPAwsConfig, can you see if commenting out/removing the getUser section (and where it's referenced in the Hub events) change the behavior at all?

And out of curiosity, have you considered upgrading to a more recent version of Amplify? v5 would require less work than the newest v6, but both would offer some improvements and fixes!

[cwomack]

@simha453, wanted to ping again and see if you had a chance to review the above comment.

[simha453]

I have commented the getUser section and upgrading to latest versions v5, v6. I have tried the both cases . but not working getting same error. Give me any proper solution for this bug.

[simha453]

any update ?

[simha453]

any update ?

[navv-christofer-flores]

any update? or is there any config that can we set on AD side?

[simha453]

Any update ?

[simha453]

We have been waiting for a long time for your update. Give me update on this ASAP