Blank error in custom database script with amazon-cognito-identity-js

Problem statement

After configuring a Custom Database connection with Import Mode On that connects to AWS Cognito with amazon-cognito-identity-js the Login script returns an empty error object during testing:

{}

What does this error mean and how can it be resolved?

Symptoms

The following line in the Login Script is returning an empty object as the error message when it hits the ‘onFailure’ method:

new AmazonCognitoIdentity.CognitoUser(userData).authenticateUser

Steps to reproduce

  1. Create a custom database connection in Auth0 and enable Import Mode.
  2. Use the following login script. You will need to update the redacted config values after creating a Cognito User Pool in step 3.
function login(username, password, callback) {
  console.log("login");
  global.fetch = require('node-fetch@2.6.0');
  var AmazonCognitoIdentity = require('amazon-cognito-identity-js@3.0.14');
  var poolData = {
    UserPoolId: 'REDACTED',
    ClientId: 'REDACTED'
  };
  var userPool = new AmazonCognitoIdentity.CognitoUserPool(poolData);

  var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails({
    Username: username,
    Password: password
  });
  var userData = {
    Username: username,
    Pool: userPool
  };
  var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData);
  cognitoUser.authenticateUser(authenticationDetails, {
    onSuccess: function (result) {
      console.log("RESULT: " + JSON.stringify(result));
      var idTokenPayload = result.getIdToken().payload;
      var profile = {
        user_id: idTokenPayload.sub,
        email: idTokenPayload.email,
        email_verified: false
      };
      console.log("before callback: " + JSON.stringify({ result, idTokenPayload, profile }));
      callback(null, profile);
    },
    onFailure: (function (err) {
      console.log("ERROR: " + JSON.stringify(err));
      return callback(new WrongUsernameOrPasswordError(err));
    })
  });
}
  1. Create a user pool in AWS Cognito. When you create an App client as a part of this process, make sure that the App client is NOT configured to have a client secret.
  2. Create a user in the AWS Cognito user pool.
  3. You’ll need to update the Confirmation Status on users you create from “Force change password” to “Confirmed” before attempting the first login to Auth0 from the custom database connection, otherwise, I’d get the “callback.newPasswordRequired is not a function.” error. You can do that with the following script:
aws cognito-idp admin-set-user-password --user-pool-id REDACTED --region REDACTED --username REDACTED --password NEWPASSWORD --permanent
  1. To reproduce the blank error, you’ll need to configure the User Pool to require MFA. When you do so, you should be able to click on the user record and Cognito and see “MFA Active”.

  2. Use the Try Connection button from your custom database connection in Auth0 to log in for the first time with one of your test users. Use the Real-time Webtask Logs Extension to view the console.logs from your login script and see:
    ERROR: {}

Solution

To resolve this issue, disable MFA in the Cognito User Pool.

1 Like