How do I force AWS Cognito to retrieve an IdentityId from the server?

1
votes

In the iOS SDK (v2.4.8) I can't logout a user and then login as a different user correctly.

The (correct) cognityIdentityId returned by AWS for the first user (since an app start) is also returned for the second user (unless the app is restarted). This gives access to the AWSCognitoDataset of one user by another.

I think this is because the iOS SDK has cached the id and the documented call to clear that cache, doesn't fully work.

When logging in:

// one-off initialisation

self.credentialsProvider = AWSCognitoCredentialsProvider(regionType:AWSRegionType.USEast1, identityPoolId:Constants.CognitoIdentityPoolId) let configuration = AWSServiceConfiguration(region:AWSRegionType.USEast1, credentialsProvider:self.credentialsProvider) AWSServiceManager.defaultServiceManager().defaultServiceConfiguration = configuration … // I get idToken from my external provider serice (Auth0) func doAmazonLogin(idToken: String, success : () -> (), _ failure : (NSError) -> ()) { var task: AWSTask?

    //Initialize clients for new idToken
    if self.credentialsProvider?.identityProvider.identityProviderManager == nil || idToken != Application.sharedInstance.retrieveIdToken() {
        let logins = [Constants.CognitoIDPUrl: idToken]
        task = self.initializeClients(logins)
    } else {
        //Use existing clients
        self.credentialsProvider?.invalidateCachedTemporaryCredentials()
        task = self.credentialsProvider?.getIdentityId()
    }
    //Make login
    task!.continueWithBlock { (task: AWSTask!) -> AnyObject! in
        if (task.error != nil) {
            failure(task.error!)
        } else {
            // the task result will contain the identity id
            let cognitoId:String? = task.result as? String
            self.customIdentityProviderManager!.addToken(Constants.CognitoIDPUrl, value:idToken)
            //Store Cognito token in keychain
            Application.sharedInstance.storeCognitoToken(cognitoId)
            success()
        }
        return nil
    }
}

func initializeClients(logins: [NSObject:AnyObject]?) -> AWSTask? {
    //Create identity provider managet with logins
    let manager = CustomIdentityProviderManager(tokens: logins!)
    self.credentialsProvider?.setIdentityProviderManagerOnce(manager)        
    return self.credentialsProvider?.getIdentityId()
}

When logging out:

// Clear ALL saved values for this provider (identityId, credentials, logins). [docs][1]
let keychain = A0SimpleKeychain(service:"…")
keychain.clearAll()

I've also tried adding:

credentialsProvider!.clearCredentials()
credentialsProvider!.clearKeychain()

Is anyone using the AWS iOS SDK and has coded logout successfully such that a new user can login cleanly?

There is the oddly named method credentialsProvider.setIdentityProviderManagerOnce() - I can't find this documented but its name suggests that it should only be called once per session. But if keychain.clearAll() removes logins then one would need to call setIdentityProviderManagerOnce each time a new user logins in in order to setup logins each time.

1
amazon-cognito

1 Answers

0
votes

Can you describe your login/logout flow a bit more? Cognito doesn't support multiple logins from the same provider per identity, so it sounds like, unless you're using multiple, it isn't actually changing the identity.

In any case, have you tried the clearKeyChain method on the credentials provider? It's largely for use cases like this - clearing everything.