Authentication Issues
Diagnostic Overview
Authentication issues in StackFlow can originate from three layers: the Cognito User Pool, the Azure AD OBO exchange, or the LDAP connector. Start diagnostics by checking the StackFlow audit log in Admin → Security → Audit Log, then cross-reference with CloudWatch Logs for the StackFlowAPI Lambda and the Cognito User Pool logs.
⚙️ Minimum Requirements
- CloudWatch Logs:
/aws/lambda/StackFlowAPIlog group accessible for auth error investigation - Cognito: Admin access to pool
us-east-1_WKK1AVJ2mfor user account investigation - CloudTrail:
stackflow-cloudtrail-373544523367accessible for authentication event audit - Secrets Manager: Read access to
stackflow/azure-sso/client-secretandstackflow/ldap/bind-credentialsfor credential validation
CloudWatch Log Groups:
API Logs:
Cognito Logs:
OBO Lambda:
API Logs:
/aws/lambda/StackFlowAPICognito Logs:
/aws/cognito/userpools/us-east-1_WKK1AVJ2mOBO Lambda:
/aws/apigateway/606pvqo245/obo
Common Issues
| Symptom | Likely Cause | Diagnostic Step | Resolution |
|---|---|---|---|
| Login page spins, no redirect | Cognito callback URL not registered | Check browser console for CORS error | Add redirect URI to Cognito app client |
| "User not found" on valid email | User created in wrong Cognito pool | aws cognito-idp admin-get-user --user-pool-id us-east-1_WKK1AVJ2m --username user@example.com | Create user in correct pool |
| "Token expired" errors after 1h | Refresh token rotation failing | Check browser localStorage for refresh_token | Clear browser storage, re-authenticate |
| MFA setup page loops | TOTP QR code generation error | Check StackFlowAPI Lambda logs for associateSoftwareToken errors | Ensure Cognito TOTP MFA is enabled for the pool |
| 403 after login | User has no role assigned (custom:role empty) | Check Cognito user attributes in console | Set custom:role attribute via admin-update-user-attributes |
SSO & OBO Issues
| Symptom | Likely Cause | Diagnostic Step | Resolution |
|---|---|---|---|
| Azure SSO redirects back to Azure login loop | Azure app registration redirect URI mismatch | Check Azure AD app registration redirect URIs | Add exact redirect URI to Azure app registration |
| OBO exchange returns 401 | Azure app client secret expired | Check Azure app registration certificate/secret expiry | Rotate Azure client secret, update Secrets Manager |
| OBO exchange returns 403 | Azure consent not granted for GroupMember.Read.All | Check Azure app API permissions — look for "Requires admin consent" | Grant admin consent in Azure Portal |
| Wrong groups synced | Group mapping configuration mismatch | Check group mapping in Admin → Authentication → Azure AD | Update group name/ID in StackFlow group mapping |
LDAP Issues
| Symptom | Likely Cause | Diagnostic Step | Resolution |
|---|---|---|---|
| LDAP bind fails | Wrong bind DN or password | Test with ldapsearch from VPC bastion | Verify bind DN format and reset service account password |
| Users authenticate but no groups sync | Bind account lacks memberOf read access | Check AD delegation for service account on user OU | Grant service account "Read memberOf" permission |
| Connection timeout | LDAP port not accessible from Lambda SG | Check SG rules for sg-0ada825cda6a75ed6 outbound to LDAP port | Add outbound rule: TCP 636 to LDAP server IP |
Cognito Issues
# Check Cognito user pool for login errors
aws logs filter-log-events --log-group-name /aws/cognito/userpools/us-east-1_WKK1AVJ2m --filter-pattern "ERROR" --start-time $(date -d '1 hour ago' +%s000) --region us-east-1
# Check if Cognito Lambda triggers are causing failures
aws cognito-idp describe-user-pool --user-pool-id us-east-1_WKK1AVJ2m --region us-east-1 | jq '.UserPool.LambdaConfig'
# Verify all trigger Lambdas are warm (cold starts can cause trigger timeouts)
aws lambda get-function-concurrency --function-name StackFlowAPI --region us-east-1