[ ERROR ] Too many http redirects using federated social login when user is out of the UserPoolGroup

Hi Guys, thank you for this great resource! Very good job.

I'm trying to use this solution with a pre-existing Cognito user pool federated with Google, and specifying a user pool group in order to not allow all user with Google account to access my static site.

When I try to access the cloudfront distribution I get redirected to Cognito and I'm able to select my Google account to log in, checking the Cognito user poll I can see that my user was correctly added to the poll, but as expected it was not added to the user pool group and this is my desired behaviour.

When the browser is redirected back to Cloudfront distribution, since the user is not in the user pool group It ends up redireted once again to Cognito and the loop starts.

I think that at the parseauth it need to check, if the token is valid but the user is out of the group it's means that the user need an administrator action to include the user into the user pool group and allow it access. I could let the user access one specifig page where one message informing this situation is hosted.

Thanks in advance.

Hi @RuyOliveiraRunaHR

In that scenario, the user should get an error page like this:

Can you confirm that works for you?

Clicking "Try Again" will redirect to this page again, unless the admin in the mean time added the user to the group in Cognito, in which case the user would be nicely redirected to the page she wanted to go to and have access.

That message is coded here:

cloudfront-authorization-at-edge/src/lambda-edge/parse-auth/index.ts

Lines 156 to 165 in 08dc009

    
           } else if (`${err}`.includes("Cognito group")) { 
        
             htmlParams = { 
        
               title: "Not Authorized", 
        
               message: 
        
                 "Your user is not authorized for this site. Please contact the admin.", 
        
               expandText: "Click for details", 
        
               details: `${err}`, 
        
               linkUri: redirectedFromUri, 
        
               linkText: "Try Again", 
        
             };

This is of course an example. If you want to do something else here, like e.g. show a custom HTML page with more details, e.g. explaining the user where to actually reach the admin you code the return of a redirect (e.g. 307) to that custom page (and make that custom page publicly accessible, but not protecting that CloudFront behavior with Auth@Edge).

Hi Otto, Thanks for you return.
Yeah, you are right! I probably did something wrong, I'm doing some more tests.

Thanks a lot.
Best,

	} else if (`${err}`.includes("Cognito group")) {
	htmlParams = {
	title: "Not Authorized",
	message:
	"Your user is not authorized for this site. Please contact the admin.",
	expandText: "Click for details",
	details: `${err}`,
	linkUri: redirectedFromUri,
	linkText: "Try Again",
	};