[Auth] Not playing nice with CloudWatch RUM - errors about enhanced flow

[ffxsam]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Vue

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

  System:
    OS: macOS 11.6.4
    CPU: (12) x64 Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz
    Memory: 15.18 GB / 64.00 GB
    Shell: 5.8 - /bin/zsh
  Binaries:
    Node: 14.18.1 - ~/.volta/tools/image/node/14.18.1/bin/node
    Yarn: 3.0.2 - ~/.volta/tools/image/yarn/1.22.17/bin/yarn
    npm: 6.14.15 - ~/.volta/tools/image/node/14.18.1/bin/npm
    Watchman: 2022.02.28.00 - /usr/local/bin/watchman
  Browsers:
    Brave Browser: 91.1.26.74
    Chrome: 99.0.4844.51
    Firefox: 97.0.1
    Safari: 15.3
  npmPackages:
    @aws-sdk/client-evidently: ^3.53.0 => 3.53.0 
    @aws-sdk/client-lambda: ^3.53.0 => 3.53.0 
    @aws-sdk/client-s3: ^3.53.0 => 3.53.0 (3.6.1)
    @aws-sdk/lib-storage: ^3.53.0 => 3.53.0 
    @casl/ability: ^5.4.3 => 5.4.3 
    @casl/ability/extra:  undefined ()
    @casl/vue: ^1.2.3 => 1.2.3 
    @chargebee/chargebee-js-vue-wrapper: ^0.2.2 => 0.2.2 
    @sentry/browser: ^6.18.0 => 6.18.0 
    @sentry/cli: ^1.73.0 => 1.73.0 
    @sentry/vue: ^6.18.0 => 6.18.0 
    @sentry/webpack-plugin: ^1.18.8 => 1.18.8 
    @types/canvas-confetti: ^1.4.2 => 1.4.2 
    @types/debug: ^4.1.7 => 4.1.7 
    @types/hls.js: ^1.0.0 => 1.0.0 
    @types/jest: ^24.9.1 => 24.9.1 
    @types/lodash.clonedeep: ^4 => 4.5.6 
    @types/lodash.debounce: ^4.0.6 => 4.0.6 
    @types/lodash.isequal: ^4 => 4.5.5 
    @types/lodash.throttle: ^4.1.6 => 4.1.6 
    @types/lodash.uniq: ^4 => 4.5.6 
    @types/nprogress: ^0.2.0 => 0.2.0 
    @types/safe-json-stringify: ^1.1.2 => 1.1.2 
    @types/sortablejs: ^1 => 1.10.7 
    @types/tinycolor2: ^1 => 1.4.3 
    @types/uuid: ^8.3.1 => 8.3.1 
    @types/validator: ^13.6.3 => 13.6.3 
    @types/yt-player: ^3.5.1 => 3.5.1 
    @types/zxcvbn: ^4.4.1 => 4.4.1 
    @typescript-eslint/eslint-plugin: ^4.33.0 => 4.33.0 
    @typescript-eslint/parser: ^4.33.0 => 4.33.0 
    @vue/cli-plugin-babel: ~4.5.15 => 4.5.15 
    @vue/cli-plugin-e2e-cypress: ~4.5.15 => 4.5.15 
    @vue/cli-plugin-eslint: ~4.5.15 => 4.5.15 
    @vue/cli-plugin-pwa: ~4.5.15 => 4.5.15 
    @vue/cli-plugin-router: ~4.5.15 => 4.5.15 
    @vue/cli-plugin-typescript: ~4.5.15 => 4.5.15 
    @vue/cli-plugin-unit-jest: ~4.5.15 => 4.5.15 
    @vue/cli-plugin-vuex: ~4.5.15 => 4.5.15 
    @vue/cli-service: ~4.5.15 => 4.5.15 
    @vue/eslint-config-standard: ^5.1.2 => 5.1.2 
    @vue/eslint-config-typescript: ^7.0.0 => 7.0.0 
    @vue/test-utils: ^1.3.0 => 1.3.0 
    apexcharts: ^3.33.1 => 3.33.1 
    aws-amplify: ^4.3.14 => 4.3.14 
    aws-sdk: ^2.1082.0 => 2.1082.0 
    axios: ^0.26.0 => 0.26.0 (0.21.4)
    camelcase-keys: ^7.0.2 => 7.0.2 (6.2.2)
    canvas-confetti: ^1.5.1 => 1.5.1 
    change-case: ^4.1.2 => 4.1.2 
    core-js: ^3.21.1 => 3.21.1 (3.12.1, 2.6.12, 3.20.2)
    date-fns: ^2.28.0 => 2.28.0 (1.30.1)
    date-fns-tz: ^1.3.0 => 1.3.0 
    debug: ^4.3.3 => 4.3.3 (4.3.2, 3.2.7, 2.6.9, 3.2.6)
    dev:  1.0.0 
    eslint: ^6.8.0 => 6.8.0 
    eslint-plugin-import: ^2.25.4 => 2.25.4 
    eslint-plugin-node: ^11.1.0 => 11.1.0 
    eslint-plugin-promise: ^4.3.1 => 4.3.1 
    eslint-plugin-standard: ^4.1.0 => 4.1.0 
    eslint-plugin-vue: ^6.2.2 => 6.2.2 
    example:  0.1.0 
    filesize: ^8.0.7 => 8.0.7 (3.6.1)
    friendly-challenge: ^0.9.0 => 0.9.0 
    graphql-tag: ^2.12.6 => 2.12.6 
    hls.js: ^1.1.5 => 1.1.5 (1.0.3)
    keycode: ^2.2.1 => 2.2.1 
    lint-staged: ^9.5.0 => 9.5.0 
    lodash.clonedeep: ^4.5.0 => 4.5.0 
    lodash.debounce: ^4.0.8 => 4.0.8 
    lodash.isequal: ^4.5.0 => 4.5.0 
    lodash.throttle: ^4.1.1 => 4.1.1 
    lodash.uniq: ^4.5.0 => 4.5.0 
    logrocket: ^2.2.0 => 2.2.0 
    logrocket-vuex: 0.0.3 => 0.0.3 
    nprogress: ^0.2.0 => 0.2.0 
    peaks.js:  0.27.0 
    plyr: ^3.6.12 => 3.6.12 
    prettier: ^2.5.1 => 2.5.1 (1.19.1)
    quill-paste-smart: ^1.4.9 => 1.4.9 
    register-service-worker: ^1.7.2 => 1.7.2 
    safe-json-stringify: ^1.2.0 => 1.2.0 
    sass: 1.32.0 => 1.32.0 
    sass-loader: ^8.0.2 => 8.0.2 
    snakecase-keys: ^5.1.2 => 5.1.2 
    sortablejs: ^1.14.0 => 1.14.0 
    tinycolor2: ^1.4.2 => 1.4.2 
    typescript: ~4.5.5 => 4.5.5 
    userpilot: ^1.2.5 => 1.2.5 
    uuid: ^8.3.2 => 8.3.2 (3.4.0, 3.3.2)
    validator: ^13.7.0 => 13.7.0 
    vue: ^2.6.14 => 2.6.14 (2.6.12)
    vue-apexcharts: ^1.6.2 => 1.6.2 
    vue-chartjs: ^3.5.1 => 3.5.1 
    vue-cli-plugin-vuetify: ~2.4.5 => 2.4.5 
    vue-linkify: ^1.0.1 => 1.0.1 
    vue-meta: ^2.4.0 => 2.4.0 
    vue-quill-editor: ^3.0.6 => 3.0.6 
    vue-router: ^3.5.3 => 3.5.3 
    vue-smooth-dnd: ^0.8.1 => 0.8.1 
    vue-template-compiler: ^2.6.14 => 2.6.14 
    vuetify: ^2.6.3 => 2.6.3 
    vuetify-loader: ^1.7.3 => 1.7.3 
    vuex: ^3.6.2 => 3.6.2 
    vuex-persistedstate: ^4.1.0 => 4.1.0 
    yt-player: ^3.5.0 => 3.5.0 
    zxcvbn: ^4.4.2 => 4.4.2 
  npmGlobalPackages:
    npm: 6.14.15

Describe the bug

We're using CloudWatch RUM (installed as described in the docs), and it doesn't seem to work with Amplify Auth.

For full details, see AWS support ticket 9710165501.

The following errors are occurring:

POST [https://cognito-identity.us-east-1.amazonaws.com/ ](https://cognito-identity.us-east-1.amazonaws.com/)
400 Bad Request

Request:

{"IdentityId":"us-east-1:xx"}

Response:

{
  "__type": "InvalidParameterException",
  "message": "Basic (classic) flow is not enabled, please use enhanced flow."
}

POST [https://sts.us-east-1.amazonaws.com/ ](https://sts.us-east-1.amazonaws.com/)
400 Bad Request
Request: RoleArn=arn%3Aaws%3Aiam%3A%3Axx%3Arole%2Fprod-microservices-core-AuthIdentityPoolUnauthRole-1D5RV3V8X33VO&RoleSessionName=cwr&WebIdentityToken=undefined&Action=AssumeRoleWithWebIdentity&Version=2011-06-15
Response:

<ErrorResponse xmlns="[https://sts.amazonaws.com/doc/2011-06-15/ ](https://sts.amazonaws.com/doc/2011-06-15/)">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>The ID Token provided is not a valid JWT. (You may see this error if you sent an Access Token)</Message>
  </Error>
  <RequestId>4f2dd743-033b-4024-8989-45545413cae3</RequestId>
</ErrorResponse>

My identity pool does not have basic flow enabled, so I assume this means it's using enhanced flow which is what I want. The AWS support person had this to say:

As discussed by my colleague earlier and upon further investigation of HAR, it is evident that your application code/amplify is triggering basic flow API calls for which the identity pool is not enabled. Below is the HAR flow for your reference, where you can see once the response for GetId was sent, GetOpenIdToken API call was executed.

As you have already said that you want to use enhanced flow, something which is also default with CloudWatch RUM & Cognito integration; you need to fix your code so that it only triggers these two API calls viz. GetId and GetCredentialsForIdentity as discussed for example here - https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/modules/_aws_sdk_credential_provider_cognito_identity.html#fromcognitoidentitypool-1

Expected behavior

I'd expect Amplify Auth to work with CloudWatch RUM out of the box.

Reproduction steps

See above

Code Snippet

// Amplify auth setup

Auth.configure({
  identityPoolId: process.env.VUE_APP_AWS_IDENTITY_POOL_ID,
  region: process.env.VUE_APP_AWS_REGION,
  userPoolId: process.env.VUE_APP_AWS_USER_POOL_ID,
  userPoolWebClientId: process.env.VUE_APP_AWS_USER_POOL_CLIENT_ID,
  mandatorySignIn: true,
});

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[abdallahshaban557]

@ffxsam - we meet again! We are working on adding support for Cloudwatch RUM with Amplify. I might reach out soon for us to talk about your ask here!

[correaricardo]

Same problem here, there is some work around?

[Can-Sahin]

Whenever I wanna use something new from AWS, amplify just kills it for me. Same problem here.

Quick fix for me. I enabled basic flow in identity pool and set allowCookies: false in rum-client and it works

[cwomack]

For anyone that is following this issue, we will be consolidating the context and feedback detailed here into issue #13336 to better focus our efforts on an implementation strategy for improving CloudWatch support in v6. Please leave any additional context or feedback on that issue, and follow it for further updates on progress as we make it!