Get OIDC Provider's issued token in Amplify Auth

[nilyin]

Is this related to a new or existing framework?

React, Vue

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

i want to have possibility to request security token issued by 3rd party OIDC provider from Amplify Auth js object. I need this for my browser based amplify app to be able to call OIDC provider API directly for its services. I use Amplify v.5 API now and my OIDC user signin is working fine, but I cannot enable user to access the provider's services after it. After OIDC flow initialization with

Auth.federatedSignIn({
              customProvider: 'github',
              options: {
                scope: ['repo']
              }

i get session object as below, but it has only idToken and accessToken issed by Cognito which cannot be used in https request to OIDC provider's API:

const handleAuthEvent = async (event, data) => {
 if (['signIn', 'tokenRefresh', 'cognitoHostedUI', 'federatedSignIn'].includes(event)) {
     const session = await Auth.currentSession({ bypassCache: true });
  }
}
 

Does Amplify v.6 API support this use-case or not? Or maybe Gen2 API does?

Describe the solution you'd like

I want solution of this problem, ideally Auth object could provide method Auth.currentOidcToken() . Or session, received as const session = await Auth.currentSession({ bypassCache: true }); could have an "oidc" property keeping that token.

Describe alternatives you've considered

alternative cases under consideration are:

1. initiate oidc session with provider directly from the amplify app (without Cognito) - cons: no good as I have to store "security_key" in browser client
2. create Lambda function (which has security_key) to initiate OIDC flow and return token - cons: this is not leveraging my OIDC provider setup mage in Cognito userPool and used for SignIn case, this is complex to implement, each function for each OIDC probably, security should be thought additinally.

Additional context

example of Amplify application, which needs such feature is a banking app or hosted git (github) app, where i want enable a user to login with one of its banks account (or git providers) and then, after being authenticated, allow the user to access some services like payments, history check (or repository creation and pushing files - in github case)

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[cwomack]

Hello, @nilyin 👋 and thanks for opening this. While this particular auth flow of getting an access token from the external OIDC provider is not currently supported, I'd like to better understand your use case here. Cognito won't be aware of the authorization grants for the 3rd party API's based on the tokens exchanged, but do you have other client side libraries such as Data, Storage, etc. that are dependent on the existing User Pool or Identity Pool? And are you using a Github or OAuth app as part of this flow?

[nilyin]

@cwomack hi, in my current setup I use "authorized GitHub OAuth app" form my Amplify vue js application connected through custom OIDC mediator gateway/proxy (AWS Lambda + API gateway). I thing it is the same as "Github app" as far as authentication flow is concerned. I can use any app type if needed as have no constrains here. I can connect directly, but in my particular case I use custom proxy in front of Github. I need this gateway because Github doesn't complient to OIDC spec, supported in Cognito UserPool list of providers types. So I've configured OIDC in Cognito UserPool and my app OIDC sign-in works fine and all OIDC authorized users can access any Amplify provided services (like Storage or Appsync) without any problems.

The problem involved is different: I want my user to make authentication with Github (directly or through my custom connector) with a goal to further access allowed github services (not Amplify / AWS services). Based on Github documentation client app can request a Github auth session token for requested 'scope' by sending "Github OAuth app's" id and security key (after user has authorized my app and the app received a tmp code from github), which I don't want to keep in my browser-based app.

So, I am thinking that it will be quite easy to support my use-case (i saw many other similar requests) with minimal upgrade in Amplify / Cognito configuration, because:

1. Cognito userpool for my app already has "github" OIDC provider, configured for my "GitHub OAuth app" with URLs, app id and security key
2. Cognito (userpool OIDC provider) has issued for my app a custom domain url for callback requests and actually exchanges code for Github auth token there

It means Cognito does actually receive the OIDC provider auth token but for some reason (may be security?) not passing it further to an Amplify Auth's session object. This OIDC token is not sent along with mapped standard and custom OIDC attributes (like github user id i get). So I think the decision of inclusion of oidc provider's token into Auth's session can be given to developer by: "include OIDC token" check-box in OIDC provider's settings form in cognito userpool

[cwomack]

@nilyin, thank you for explaining the intended use case so thoroughly. Just to reiterate, the ability to access the OIDC provider's (GitHub in this case) token directly through Amplify Auth isn't supported right now. Storing and managing the third-party tokens directly may also create some security concerns, but we'll keep this feature request open to track this use case and provide a spot for the community to upvote and comment.

In the meantime, a potential workaround (that would better align with Cognito's best practices for security) would be to configure your Cognito User Pool's Lambda triggers to capture specific GitHub user attributes during the authentication flow. You can include these attributes in the tokens provided by Cognito during the federation/Auth flow, allowing you access to what's needed from each user. The Lambda would need to handle the Github API interactions, but the Cognito tokens would still be used to authenticate/authorize the service API's.

[cwomack]

Also wanted to address the questions regarding v6 and Gen 2 in a separate comment. We highly recommend upgrading to v6 of Amplify to take advantage of the many features, bug fixes, and more. The Gen 2 Developer Experience will only work with the v6 API's as well, but the API functionality between Gen 1 and Gen 2 when using v6 would be the same.

We're also working on migration tooling and improvements to the developer experience to help with migrations from Gen 1 to Gen 2, but we'll share more on that soon. Depending on things like how many users are currently using your app, how much time you're looking to spend migrating to Gen 2, etc., the recommendation there may differ. If you haven't had a chance to see or use it yet, check out the launch blog post for Gen 2 as well as Getting Started guide.