Can Cognito Endpoint be changed without invalidating tokens?

[knellr]

We've been using the default endpont for our Cognito user pool but would like to start using a custom proxy endpoint (without changing the underlying pool).

When taking the naive approach of specifying the endpoint in the amplify config (below), the user appears to be logged out on launch (without any network calls being made).

                "CognitoUserPool": {
                    "Default": {
                        "Endpoint": "idp.example.com",
                        "PoolId": "eu-west-XXX",
                        "AppClientId": "XXX",
                        "Region": "eu-west-1"
                    }
                },

I'm not clear on exactly why this is but I'm guessing it's because the previously issued tokens have an issuer that is at https://cognito-idp.eu-west-1.amazonaws.com.

Is there any mechanism by which we can start using our new endpoint while retaining the validity of existing tokens / sessions?

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[harsh62]

@knellr Thanks for opening the issue, I will investigate and provide you an update soon.

[harsh62]

@knellr Would you be able to try session-dropping-endpoint-change branch via SPM and validate if this fixes your issue?

[knellr]

Thanks for the response. The issue persists with the new branch. I hit the following breakpoint:

I think I understand what's happening though: We recently removed auth.plugins.awsCognitoAuthPlugin.CredentialsProvider.CognitoIdentity from our configuration as we no longer use Pinpoint Analytics. The two changes together are causing an issue:

• Removing the identity provider -> User stays signed in
• Adding the endpoint (new branch) -> User stays signed in
• Removing the identity provider and adding the endpoint -> User is signed out

In our case, oldAuthConfigData != currentAuthConfig evaluates to true since the identity provider has been removed.

[harsh62]

@knellr I will discuss this internally within the team and let you know if we should skip identity config check when we have a valid user pool session.

We remove the keychain, because name spacing, sessions and tokens are tied to the both user pool and identity pool. Since now you are moving to just using user pool, the config thinks this is an entirely new config.

Internal state of credentials is:

• User Pool only
• Identity Pool only
• User Pool and Identity Pool

The current logic will remove the keychain if we try to move between these credential states.