Tokens with Invalid JSON payloads

[alexhddev]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Not applicable

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

# Put output below this line

System:
OS: Windows 10 10.0.19045
CPU: (8) x64 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz
Memory: 20.56 GB / 31.88 GB
Binaries:
Node: 20.10.0 - C:\Program Files\nodejs\node.EXE
npm: 10.5.0 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Chromium (126.0.2592.87)
Internet Explorer: 11.0.19041.4355
npmGlobalPackages:
@angular/cli: 17.0.5
aws-cdk: 2.148.0
generator-code: 1.8.0
npm: 10.5.0
ts-node: 10.9.1
typescript: 5.3.3
vsce: 2.15.0
yo: 5.0.0

Describe the bug

The tokens provided by Amplify have invalid payload and can't be used.
Code to generate the tokens:

import { signIn, fetchAuthSession } from "@aws-amplify/auth";
import { Amplify } from "aws-amplify";

Amplify.configure({
    Auth: {

        Cognito: {
            userPoolId: "MyUserPoolId",
            userPoolClientId: "MyUserPoolClientId",
        },
    },
});

async function main(){
    await signIn({
        username: "MyUsername",
        password: "MyPassword",
        options: {
            authFlowType: "USER_PASSWORD_AUTH",
        }
    });

    const { idToken } = (await fetchAuthSession()).tokens ?? {};
 
    console.log(idToken?.toString());
    
}

main();

The code works without error but the provided idToken (and also the access token) is invalid and cannot be used - the app returns not authorized when used.
Checking the token on JWT.io , I can see that it has an invalid payload.
Example token:
eyJraWQiOiJkTTc4WHJFQXBNZlFnNzc2cUpxK1FxcE90NWgrVzRSYlwvWlhHQ3pLcHJRbz0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1MTUJo5rHvqfmGuzHPYuJ8NVq2EvBsGzaV0MJbos6zr4r3b8QGLzLMwJkzTmb8PNpQTsmOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0yLfvtc6Q45YFjdT6YcEMVjtSE2CjbFcSioJl9ZeDBHNmWSRY2tRXtLdFsW7czHX42k1smmn1MiYW5kcmVzMTIzNCIsIm9yaWdpbl9qdGkiOiJhODNbJzGBWonpC5XP8XYzqT3X95MBEjohvPLhNmIzNTciLCJhdWQiOiJzcGxjaW52Zjlzdmg0ZDAXYAV2NrHoN2cwGym6HQdHFftt9XHXJnRmMTdmNS01OGZiLLbPH2yCvzfaV949r8qmU8jd1cxPVu9WTZB0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTddMzmvSMzd1nuMstQvdnCHCM27rtnS9ELCN4GXQiOjE3MjanwNnBtzaeBCY9ftDtCoDpyp3cTeK9DhNP5WJDTjCwKyJPGNTUnrna9ZUP24AkC6cZQRSYRsIjoiYW5kcmVzMjY2MTk5MUBnbWFpbC5jb20ifQ.K7qEAmmgqTFbjriZeTlng7wAfX4POjb1vA9f1cyVSJklaPg0fXc1Y2LZZLLSNDW5JDSZ-nYbad1SK4B8g-UzC5KGSjh7o9WIWkdtLbXByxCBJL-dhCP1Vsco6OYTKRdBuOUz4ZJ4qkQDogEFcH9d4brgsP6ao9LrNwNewsKx0kv-cmSM3GIiFc4J-RM3eWUgK07VfJyxQWYsWy_lelL49JzPQlf4TV3-J52zMNZUUszN9GPq6ZT3XxDkWqXtcijsLeVjLfk7eqeQDTfRwCeyxEo9GfwgDRQt6tx5h1dBJ2UM5r-1BK6vU19_5Sn8ZBk-rK0cbOznIBCmCDlNxA

Expected behavior

The generated tokens should have valid JSON payload and be usable.

Reproduction steps

1. Init npm project
2. install aws amplify: "aws-amplify": "^6.3.8",
3. Run the specified code.

Important note: The issue appears randomly. On one account the generated tokens are valid, on another the generated tokens have invalid payload.

Code Snippet

// Put your code below this line.
import { signIn, fetchAuthSession } from "@aws-amplify/auth";
import { Amplify } from "aws-amplify";

Amplify.configure({
    Auth: {

        Cognito: {
            userPoolId: "MyUserPoolId",
            userPoolClientId: "MyUserPoolClientId",
        },
    },
});

async function main(){
    await signIn({
        username: "MyUsername",
        password: "MyPassword",
        options: {
            authFlowType: "USER_PASSWORD_AUTH",
        }
    });

    const { idToken } = (await fetchAuthSession()).tokens ?? {};
 
    console.log(idToken?.toString());
    
}

main();

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hey, @alexhddev and sorry to hear you running into this. We've been trying to reproduce this on our side, but we're unable to reproduce an issue with the JSON payloads using both the code snippets you've provided for (we're assuming) Node.js for the main function as well as normal usage of fetchAuthSession().

Are you doing anything to modify the token content by chance? Or are you able to provide more reproduction details if not a minimal sample repo for this? Thanks.

[alexhddev]

Unfortunately, this issue is very hard to reproduce (on one AWS account it works, on another it doesn't) and most likely, it's a back-end issue, not a Amplify issue. The invalid tokens can also be generated using only the AWS console. I don't know what steps to take from now.

[cwomack]

@alexhddev, do you have any pre-token generation Lambda trigger hooks that are modifying the JWT in any way? Also, can you clarify which AWS console you're able to create the invalid tokens in?

[cwomack]

Closing this issue as we have not heard back from you. If you are still experiencing this, please feel free to reply back and provide any information previously requested and we'd be happy to re-open the issue.

Thank you!