Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Http headers in Amplify Auth (signInWIthSocialWebUI) #2714

Open
1 task done
nadetastic opened this issue Feb 14, 2024 · 1 comment
Open
1 task done

Custom Http headers in Amplify Auth (signInWIthSocialWebUI) #2714

nadetastic opened this issue Feb 14, 2024 · 1 comment
Labels
auth Related to the Auth category/plugins feature-request Request a new feature

Comments

@nadetastic
Copy link

Before opening, please confirm:

Language and Async Model

Not applicable

Amplify Categories

Authentication

Gradle script dependencies

// Put output below this line

Environment information

# Put output below this line

Please include any relevant guides or documentation you're referencing

No response

Describe the feature request

Amplify Auth social sign-in operations e.g. signinWithSocialWebUI to support passing custom HTTP headers or parameters, In this use case, the custom HTTP headers are need since the OAuth/HostedUI provider endpoints are proxied via 3rd party service Akamai which implement bot protection that works by requiring a custom header "x-acf-sensor-data" to be included with the request. It appears the initial request (/authorize) seems to work fine, however it seems request to /token are blocked since the custom header is not present.

Initialization steps (if applicable)

No response

Code Snippet

// Put your code below this line.

amplifyconfiguration.json

No response

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response
@tylerjroach
Copy link
Contributor

tylerjroach commented Feb 14, 2024
edited

We will have to further investigate the approach. I'm not sure this custom header will be allowed by the Custom Tab as it is not on the approved list of headers.

See here: https://developer.chrome.com/docs/android/custom-tabs/howto-custom-tab-request-headers

The proxy url would have to be owned by the customer and configured with a digital asset link: https://developer.chrome.com/docs/android/custom-tabs/howto-custom-tab-request-headers#set_up_digital_asset_links

There are 2 additional endpoints to consider.

  1. {domain}/oauth2/token to exchange the token for AWSCredentials. If we were able to build out the options for signInWithWebUI to allow custom headers, it would be feasible to add the headers to this request as well.
  2. When refreshing tokens, Amplify will directly hit Cognito endpoints using the Kotlin SDK. There is no mechanism to inject custom headers into these requests, nor change the endpoint.

I'm not sure how the first /authorize call would work, unless the cutomer is able to get the cookie by completing a captcha through the CustomTab. However, whatever cookies that are granted while inside of the custom tab will not be available to the client application to make the subsequent token call.

A potential solution would require the cookie header to be present at the initial signInWithWebUI method call.

@tylerjroach tylerjroach added the feature-request Request a new feature label Feb 14, 2024
@tjleing tjleing added the auth Related to the Auth category/plugins label Feb 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth Related to the Auth category/plugins feature-request Request a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tylerjroach @tjleing @nadetastic