Disable "CloudFront" using "DevelopmentMode" true, causes "redirect_mismatch" errors #254
Comments
|
Hey - can you explain what URL you tried to sign-in from? Additionally, can you elaborate on what use case you're trying to address with DeveloperMode? DeveloperMode is intended to make development on the application easier, and is /not/ intended for production deployment. It weakens a whole range of security features, and changes to it may be drastic / non-backwards compatible. Ideally, we'd find a way of supporting your case without DeveloperMode. |
|
The url is the /login. "DeveloperMode" was the only way to disable the CloudFront creation. |
|
Sorry, I wasn't clear before; what domain are you on? Are you using the S3 domain? At its core, there are sort of three ingress points to the application; the (S3 or CloudFront) domain hosting the website, the Cognito User Pool, and the API Gateway API. If you stand the stack up in developer mode, you get an S3 domain instead of a CloudFront domain. Were you planning on securing the S3 website bucket via the aws:sourceVPC condition and using a VPC endpoint? If so, the API Gateway API will also need to be secured (perhaps via making the API into a private API). However, this will likely break the Cognito hosted sign-on experience (the S3 website likely won't be able to redirect to the Cognito sign-on URL and vice versa). This might require configuring an internet gateway? Additionally, for any sensitive developer portal, the User Pool should probably be secured to prevent external users from being able to self-register from outside the VPC. This can be configured as documented in the README here. |
|
I am hitting this error too in DevelopmentMode. I created a new stack with dev mode true, deployed and hit the S3 hosted URL. Now when I click on the SignIn or Register buttons, I get the error in the original post above. |
|
@markcarroll Are you using development mode in an attempt to get the developer portal working in a VPC, or for another reason? |
|
No, I just wanted to play with customizing the portal with faster iterations than CloudFront allows for. |
|
Note, this also happens if you run dev-portal locally, so there seems to currently be no way to work on this product without using cloudfront, which makes it practically impossible to test. EDIT I finally got this working locally. You need to go to "App Client Settings" in Cognito and add |
|
Hmm. How did you deploy it? This section of the template should set the callback and sign out URLs correctly. Since it's a custom resource, I have a theory; did you stand up the stack first w/CF (not in development mode), then update it to development mode? It looks like the custom resource doesn't take the developmentMode stack parameter as an input, so it probably didn't update when you swapped from non-development mode to development mode. |
|
Yes that is exactly what I did. Switched to development mode after first deployment. I also noticed that removing the |
|
I see! I'll leave this issue open to track the fix, now that I understand the issue. Thanks for the bug report! |
@markcarroll Thanks! This worked for me as well. |
|
This issue is fixed as of v3.0.2. |
We would like to have the ability to Deploy the developer portal with access through Direct connect or within VPC.
The current setup using CloudFront, which is not desirable in every situation.
Setting "DevelopmentMode" flag to "true" does disable CloudFront, but causes the UI to display "redirect_mismatch" errors.
Can we enable a Developer portal that is completely private?
Error below when on clicking "Sign in"
The text was updated successfully, but these errors were encountered: