clientMetadata is Not Passed to Custom Auth Triggers via Auth.signIn

[emmavray]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

System: OS: macOS 13.6.3 CPU: (12) arm64 Apple M2 Pro Memory: 140.42 MB / 16.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 18.17.1 - /usr/local/bin/node Yarn: 1.22.19 - ~/.npm-global/bin/yarn npm: 9.6.7 - /usr/local/bin/npm Browsers: Chrome: 120.0.6099.109 Safari: 17.2 npmPackages: @aws-amplify/adapter-nextjs: ^1.0.8 => 1.0.8 @aws-amplify/adapter-nextjs/api: undefined () @aws-amplify/adapter-nextjs/data: undefined () aws-amplify: ^6.0.8 => 6.0.8 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () aws-appsync-auth-link: ^3.0.7 => 3.0.7 aws-appsync-subscription-link: ^3.1.2 => 3.1.2 react: ^18.2.0 => 18.2.0 typescript: 5.2.2 => 5.2.2 ... npmGlobalPackages: typescript: 5.2.2 yarn: 1.22.19 ...

Describe the bug

When calling signIn with a authFlowType of CUSTOM_WITHOUT_SRP, the clientMetadata provided in the options object is not passed to the custom auth triggers (custom-auth-create, custom-auth-define).

My use case is passwordless login via a custom flow. I call signIn with { password: undefined } and a custom authFlowType, and rely on the challenge to authenticate the user. However, multi-tenancy is a requirement of my application and I need some sort of custom metadata to determine which organization a user is signing into.

Expected behavior

If clientMetadata is provided to the signIn request, it should be sent along to the trigger(s) involved in the sign in process.

This may be a bug or expected behavior in Cognito itself, but since Amplify provides the ability to send clientMetadata I'd expect it to be passed along. Also note that the Create Auth Challenge trigger docs specify that clientMetadata is available.

Reproduction steps

1. Call signIn with a authFlowType of CUSTOM_WITHOUT_SRP, and provide clientMetadata
2. This clientMetadata will never be passed along to the custom auth triggers

Code Snippet

  async function getOneTimeCode(username: string) {
    await signIn({
      username,
      password: undefined,
      options: {
        authFlowType: 'CUSTOM_WITHOUT_SRP',
        clientMetadata: {
          someField: 'some-example-data',
        },
      }
    });
  }

Log output

Create Auth Challenge Lambda event (custom-auth-create), missing clientMetadata:

{
    "version": "1",
    "region": "us-west-2",
    "userPoolId": "us-west-......",
    "userName": "786...f8ed",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-unknown-unknown",
        "clientId": "7g...2r"
    },
    "triggerSource": "CreateAuthChallenge_Authentication",
    "request": {
        "userAttributes": {
            "sub": "78...1d",
            "cognito:email_alias": "[email protected]",
            "cognito:user_status": "CONFIRMED",
            "email_verified": "true",
            "phone_number_verified": "false",
            "phone_number": "+1...1",
            "email": "[email protected]"
        },
        "challengeName": "CUSTOM_CHALLENGE",
        "session": []
    },
    "response": {
        "publicChallengeParameters": null,
        "privateChallengeParameters": null,
        "challengeMetadata": null
    }
}

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hello, @emmavray and sorry to hear you're running into this issue. When the signIn API is called from the Amplify side with a custom Auth setup, the library is only going to make a single request to Cognito's InitiateAuth API Action. This means that the clientMetadata won't be passed (more info on that here). As such, this won't necessarily be a feature request or bug on the Amplify side because this would essentially be expected behavior.

You might be able to implement a workaround where you call signIn and then immediately call confirmSignIn with a "dummy" answer and pass the clientMetadata in that call... but would likely need some modifications done to the custom auth flow lambdas if you did this.

[cwomack]

Closing this issue as we have not heard back from you. If you are still experiencing this, please feel free to reply back and provide any information previously requested and we'd be happy to re-open the issue.

Thank you!

[rossicler-hostalky]

Hi, this is something I'm looking into as well and wanted to know if there's any other workaround for it. I see you mentioned calling confirmSignIn right away with dummy answer to pass the clientMetadata which should work as well, but it seems weird to do that.

I tried using PreAuthentication trigger, but this trigger doesn't get called with a custom authentication. I know this is not an issue with library, and more of a limitation on cognito api, but I wonder if there's no other clean way to get this information to custom challenge triggers.

[fomson]

Looking for this to work too.

clientMetadata and validationData objects do go to the Pre Sign-up trigger when passed from the front end via the signUp API...
Is there a way to pass clientMetadata and validationData objects from Pre Sign-up trigger to the Define auth challenge and/or Create auth challenge triggers?

@cwomack

clientMetadata object does not go to triggers even from the signIn API... 😬

Should the signIn API not take in validationData? it should and then pass it to the Pre authentication trigger?..
According to this: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html

Custom authentication challenge Lambda triggers: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html

These seem related:
#4439
#6731