-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requesting IdToken causes TooManyRequestsException. #13973
Comments
Hello, @al-mcnichol 👋. If you've upgraded from v4 to v6, then there was likely a massive amount of changes that would be needed to get the API's functioning properly and avoid errors on the user side. Can you help me understand what documentation was followed, if you went literally from v4 straight to v6, etc.? While I see some issues with the v4/v5 API's in the code provided, I'm wondering if a sample repo would be more helpful here to ensure that we're updated and migrating the code properly across multiple files. |
@cwomack Thanks for responding. While we plan to do the upgrade, it was postponed due to the massive outage and business priorities. We're looking to try again at a later time. I'd like to focus on fixing the current version and not sure what else we can do to rectify it. You mind share the issues you see in the code and are they related to cause? We followed the migration document and to your point, there were quite a bit of changes. However, the upgrade was deployed to our lower environment and went through rigorous testing, both regression and manual. Of course we didn't catch the issue until we encounter traffic in PROD Also, I'm noticing the installed package version, namely |
@al-mcnichol, sorry to hear that you're experiencing these issues. We definitely recommend upgrading to v6 whenever you can, since that's the latest major version where we'll be providing bug fixes, feature improvements, etc. To help with that, the migration docs you linked would be the best place to start for getting from v5 (upgrading from v4 to v5 should be pretty quick/easy) to v6. Are you able to share your code within the v6, lower environment to see if we can identify any areas for improvement? And can you also resubmit the image or details of your network logs when this happens? We can't see the image in the initial description. For the final comment about v5 API's being used under the hood, that shouldn't be the case if you're only seeing v4.X in your
The above steps should be done any time you upgrade to a new major version as well. Thanks! |
@cwomack Are you saying this particular issue is fixed in v6 and recommending we upgrade to address it? If so, I'm not 100% comfortable, given our experience, as mentioned in the original description. As you said, it could be something we're uniquely doing wrong and I'd like to focus first on understanding the root cause and address it in our current version. Regarding the package-lock, this is our only time upgrading since v4. However, we discovered underlying applications that uses our web component are also loading Amplify, where we see occurrence of v5, even though their package version is v4 (same as ours). We're working to have Amplify installs removed on Apps that uses our web component. What is the best/easiest way to expose our code for review? Our internal gitHub is not accessible externally and wondering if there are particular snippets you'd like to review, if that make sense. Here is a zoomed version of the image I posted earlier. I didn't capture an image of the "TooManyRequestException", I was in panic mode when PROD was blowing up :) |
@al-mcnichol, thanks for the additional context. Can you provide us some clarity on how your application gets used when you say, "underlying applications that uses our web component are also loading Amplify"? Is it embedded in other applications then and you're running multiple instances of Amplify? Also, it sounds like you aren't on v6 then any longer and reverted back. But if you could share the code for v4/v5/v6 in a minimal sample repo (if not only share the frontend code that is causing issues), that might be needed. Just to be clear, we'd recommend anyone using Amplify to upgrade to v6 if possible... but anyone on v4 especially to upgrade to v5 at minimum to take advantages of the bug fixes, features, etc. Going from v4 to v5 should be an easy upgrade since the API's, imports, etc. won't change like they do in v6. |
@cwomack Thanks again for staying with me on this. Yes, we built our own custom UI Web component. The component is agnostic and used by several applications. We learned that one or more applications has as an instance of Amplify v4 installed. We figured it was the root cause when we upgraded the component to Amplify v6 but been able to verify/replicate the mentioned issue on v4. Yes, our goal is to upgrade to v6 but kind of stuck without knowing the root cause. I created a new repo and added you as a collaborator and you'll have access to the code once you accept the invite. Also, see branch " |
@al-mcnichol, can you clarify what the need or intent is for the loop here? I'm wondering if you're hitting the quota limit for Cognito for GetID as seen here. |
@cwomack Great call out! We added a Also, the link you posted to the code is on v6, which is not yet in production. see the difference but think the end result is the same based on the reason stated above. The quotas we are hitting are |
@al-mcnichol, if you're still experiencing these quot limit errors then it's likely tied to how the loop is being used along with the While forcing the refresh of tokens is OK in many situations, you don't want to be recursively calling those API's to the point where the rate limits with Cognito are hit. Can you help me understand why there's a need to do the loop like this? Can the |
Just to be clear, if you're looking to keep this logic then you can also reach out to Cognito to request a rate limit increase for the quotas that you're exceeding as an alternate way to work around this issue. |
For anyone else who encounters a similar error and is using AWS Amplify maps, see the (now resolved) issue here where maplibre-gl-js-amplify prior to version 3.0.2 can enter an infinite loop after credentials expire. |
@jcary741, just wanted to double check on the comment here. Were you also experiencing the "TooManyRequestsException" tied to Auth calls to Cognito? I see the Geo bug you referenced, but I think they are different root causes. |
Closing this issue as we have not heard back from you. If you are still experiencing this, please feel free to reply back and provide any information previously requested and we'd be happy to re-open the issue. Thank you! |
Before opening, please confirm:
JavaScript Framework
Web Components
Amplify APIs
Authentication
Amplify Version
Older than v5
Amplify Categories
auth
Backend
None
Environment information
Describe the bug
We upgraded v4 to v6 and within an hour started getting reports of users not being able to login. It turns out we had an overwhelming number of requests, surpassing our rate limit (120 request/sec), to Cognito, which in turn blocked the requests causing TooManyRequestsException.
We rolled back to v4 and through testing recognized the issue was there all along and somehow was exacerbated by the upgrade?
We can reproduce the issue in v4. It occurs when the refresh token expires and the library continually attempts to refresh the IdToken token from the server and we are therefore hitting the Cognito server hundreds of times, which causes us to be hit the rate limit.
For more context on reproducing the error – we login to the App and used AWS CLI (
aws cognito-idp revoke-token
) to revoke the refresh token. After some time any idToken request caused a network request to Cognito. The interesting part is that we’re listening fortokenRefresh_failure
event from the HUB and callingAuth.signOut()
, which triggers other code to remove any related cookies but the network requests continues.NOTE: The repeated requests for the idToken is because it's being saved to a cookie to support an old app that authenticates on the server and not through client technologies. The app is using our new Authentication web component, which is client-side.
Expected behavior
Once the user is logged out due to token refresh expiration or refresh error any request to refresh to ID or Access token should not cause a network request to Cognito
Reproduction steps
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response
The text was updated successfully, but these errors were encountered: