External auth calls to Aws Cognito for authentication fails

Hi I came back to Jira forge after some time and I am getting lost in new version changes. I am currently working on Jira Forge application that access external service (AWS Cognito) for authentication using the @aws-amplify/auth

I want to be clear - I am aiming for this flow as it seems the most stairghtforward to me:

  1. Having the external Cognito URL defined in manifest
  2. Deploying the application to the workspace
  3. Calling the aws amplify-js cognito Auth.signIn(username, password)
  4. Succesfully receiving the CognitoUser object

It is my current flow of working with authentication on Jira Forge, but it does not work anymore. Could you please provide some guidence? It worked great when accessing auth in the past, but currently I am struggling with it.

The amazon-cognito-identity makes an API call via the node-fetch which fails with TypeError: fetch failed at Object.fetch, the exact line in the implementation (Client:96). If I understand correctly, Jira Forge has it’s own runtime node-fetch for Basic fetch client wrapper, which we are using to call AWS AppSync (backend) directly.


  • do I need to redo the whole auth flow like in this official example using external provider? bitbucket.org/atlassian/forge-external-auth-aws-cognito/src/master/
  • would amplify version v6 help?
  • Should I move the cognito calls to my backend and use forge fetch instead? i.e. this post from 12/2021 Aws-sdk problems
  • … any other suggestions or ideas?

Welcome to the Atlassian developer community @rado08271,

The first thing I would suggest is to make sure you have proper egress controls specified in your manifest. This might be difficult to do when using AWS’s libraries because it might not be obvious which APIs are called by the SDK. Maybe posting your manifest, especially the permissions section, would help the community contribute to diagnosing and fixing your problem?

1 Like

Hi @rado08271, when you say “new version changes”, did you mean to upgrade your app from sandbox runtime to nodejs18.x runtime? Sorry, It’s a bit difficult to tell what went wrong without the logs. Can you please raise a support ticket with the appId so we can do a proper investigation?


Hi Thank you very much for your response! I will provide all necesarry details.

My egress configuration in manifest:

        - '*.eu-central-1.amazonaws.com'
      - '*.wp.com'
    - storage:app
    - read:jira-work
    - write:jira-work
    - write:issue:jira
    - read:jira-user
      - 'unsafe-eval'
      - 'unsafe-inline'

In application I have defined a handler for signing in (the handler is processed via resolver) this is a simplified version:

import { Auth } from 'aws-amplify'
import { CognitoUser } from 'amazon-cognito-identity-js'

const cognitoUser: CognitoUser = await Auth.signIn({
    username: props.email,
    password: props.password

When running this code, I get an already mentioned error see this Log entry below.

Error: Network error
at <anonymous> (webpack://my-application/src/my-resolver-function.js:2:807533)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
code: 'NetworkError'

Environment: Development
Invocation ID: xxxd057d-c6x6-4b91-b7bb-xxxxxxxxx
Trace ID: xxx2048ad1fcxd74b5cdb6779f83e574-xxxxxxxxxxxxxxxx
Module: core:function
Function: my-resolver-function
Version: 7.2.0
Site: my-site.atlassian.net
Product: Jira

My AWS is in eu-central-1 region.

Regarding the mentioned new changes I changed the runtime version to nodejs18.x and removed snapshots April 17th change
Previous manifest

  id: ari:cloud:ecosystem::app/<APP_ID>
    snapshots: true

New manifest

  id: ari:cloud:ecosystem::app/<APP_ID>
    name: "nodejs18.x"

Thanks for your advice to raise support ticket.