Blank error in custom database script with amazon-cognito-identity-js

Problem statement

Custom Database connection with Import Mode On that connects to AWS Cognito with amazon-cognito-identity-js returns blank error:

{}

Symptoms

new AmazonCognitoIdentity.CognitoUser(userData).authenticateUser returns {} from the onFailure method.

Steps to reproduce

  1. Create a custom database connection in Auth0 and enable Import Mode.
  2. Use the following login script. You will need to update the redacted config values after creating a Cognito User Pool in step 3.
function login(username, password, callback) {
  console.log("login");
  global.fetch = require('node-fetch@2.6.0');
  var AmazonCognitoIdentity = require('amazon-cognito-identity-js@3.0.14');
  var poolData = {
    UserPoolId: 'REDACTED',
    ClientId: 'REDACTED'
  };
  var userPool = new AmazonCognitoIdentity.CognitoUserPool(poolData);

  var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails({
    Username: username,
    Password: password
  });
  var userData = {
    Username: username,
    Pool: userPool
  };
  var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData);
  cognitoUser.authenticateUser(authenticationDetails, {
    onSuccess: function (result) {
      console.log("RESULT: " + JSON.stringify(result));
      var idTokenPayload = result.getIdToken().payload;
      var profile = {
        user_id: idTokenPayload.sub,
        email: idTokenPayload.email,
        email_verified: false
      };
      console.log("before callback: " + JSON.stringify({ result, idTokenPayload, profile }));
      callback(null, profile);
    },
    onFailure: (function (err) {
      console.log("ERROR: " + JSON.stringify(err));
      return callback(new WrongUsernameOrPasswordError(err));
    })
  });
}
  1. Create a user pool in AWS Cognito. When you create an App client as a part of this process, make sure that the App client is NOT configured to have a client secret.
  2. Create a user in the AWS Cognito user pool.
  3. You’ll need to update the Confirmation Status on users you create from “Force change password” to “Confirmed” before attempting the first login to Auth0 from the custom database connection, otherwise, I’d get the “callback.newPasswordRequired is not a function.” error. You can do that with the following script:
aws cognito-idp admin-set-user-password --user-pool-id REDACTED --region REDACTED --username REDACTED --password NEWPASSWORD --permanent
  1. To reproduce the blank error, you’ll need to configure the User Pool to require MFA. When you do so, you should be able to click on the user record and Cognito and see “MFA Active”.

  2. Use the Try Connection button from your custom database connection in Auth0 to log in for the first time with one of your test users. Use the Real-time Webtask Logs Extension to view the console.logs from your login script and see ERROR: {}.

Troubleshooting

  • Steps that can be taken by the user to identify and verify the problem, including relevant links to external resources

Solution

Disable MFA in the Cognito User Pool.

1 Like