An example of issue #2295 with the aws-amplify/amplify-android repository
If Amplify.Auth.rememberDevice() is called after confirmSignIn(), then I would expect that the device would be remembered and the user would not be challenged for MFA if they were to sign out and sign back in.
Currently, if a device is set to be remembered after a user confirms signin and then they sign out and sign in again, we receive a CONFIRM_SIGN_IN_WITH_SMS_MFA_CODE as the signIn() call's nextStep.signInStep. Unless I'm misunderstanding the expected outcome of a signOut() call, I think the user should be receiving DONE as the nextStep.signInStep
- You'll need your own AWS Cognito User Pool and App Client ID setup with MFA and remember device enabled
- Authentication type will need to be set to USER_SRP_AUTH
- Update the constants Pool ID, App Client ID, Web Domain, and Region in MainActivity.kt
- Call
Amplify.Auth.signIn(username, password). Result should returnCONFIRM_SIGN_IN_WITH_SMS_MFA_CODEas next step - Call
Amplify.Auth.confirmSignIn(code). Result should returnDONEas next step - Call
Amplify.Auth.rememberDevice() - Call
Amplify.Auth.signOut(options = AuthSignOutOptions.builder().globalSignOut(false).build()) - Call
Amplify.Auth.signIn(username, password). Result returnsCONFIRM_SIGN_IN_WITH_SMS_MFA_CODEagain as next step. Result should have returnedDONE🐛
You can accomplish this by:
- Enter username and password and click Sign In button
- On the next screen, enter the code sent to you and click Confirm Sign In button
- On the next screen, click the Sign Out button
- Back on the Sign In screen, enter username and password and click Sign In button again
After signing out and signing back in, the user should not be challenged for MFA if they have already confirmed their sign in and remembered their device.
After signing out and signing back in, the user is challenged for MFA again even though they have already confirmed their sign in and remembered their device.