aws-auth-cognito unusable - is pulling in an old alpha version of okhttp

[kroegerama]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin - Coroutines

Amplify Categories

Authentication

Gradle script dependencies

implementation("com.amplifyframework:core-kotlin:2.16.1")
implementation("com.amplifyframework:aws-auth-cognito:2.16.1")

Describe the bug

All recent versions of com.amplifyframework:aws-auth-cognito pull in an alpha version of okhttp: com.squareup.okhttp3:okhttp:5.0.0-alpha.11 via transitive dependencies.

This is conflicting with our existing dependencies of okhttp 4.12.0, which is the latest stable release of okhttp.

I don't really get, why anyone considered it a good idea to use an alpha version as a dependency. There are even companies that forbid using alpha dependencies in production.

Seems, like the culprit is the aws dependency aws.smithy.kotlin:http-client-engine-okhttp-jvm:1.0.11, which had this bad dependency literally forever. I went to mvnrepository and even version 0.11.0 of this smithy client uses an alpha version. Going forward, the most recent version 1.2.2 also has an alpha dependency.

There was a ticket regarding this, but it was abandoned and closed without a fix. #2632

Is there a plan, when this will be fixed? I have no idea how to integrate cognito without messing up our production releases.

[yuhengshs]

Hi @kroegerama ,

Thanks for reporting the issue, our team will take a look and post updates here.

[yuhengshs]

Hi @kroegerama ,

Unfortunately, Amplify Android has dependency with aws-kotlin and aws-smithy. We will try to make another request internally and see if any modifications can be done.

[kroegerama]

Thanks a lot for your follow-up @yuhengshs. I look forward to hearing if your colleagues decide to fix this.

[mehulrewardle]

@yuhengshs Any update for this issue. I am also facing the conflict issue with stripe , You should use okhttp3 stable latest version

[tylerjroach]

@mehulrewardle Unfortunately, we have a hard dependency on the AWS Kotlin SDK, which is using the v5-alpha. We cannot change the OkHttp version on our end unless the AWS Kotlin SDK makes changes first.

For our knowledge, does the Stripe SDK crash if OkHttp is allowed to resolve to the v5-alpha version?

[JGerdes]

Hi @yuhengshs and @tylerjroach, is there any update on this?
As AWS Amplify v1 is officially deprecated, we need to update to v2, but can't due to the compatibility issues with OkHttp3.
Updating from v1 to v2 basically forces us to use an unstable alpha release in our network layer and risking crashes or unwanted behaviour with other libraries that transitively depend on OkHttp.

Could you try to find a solution for this issue?

[lauzadis]

Hello @JGerdes, I am a developer of the AWS SDK for Kotlin. We have no intentions to downgrade our version of OkHttp. Square claims that OkHttp 5.0.0-alpha.X is production stable, so we recommend you upgrade to resolve the issue:

The alpha releases in the 5.0.0 series have production-quality code and an unstable API. We expect to make changes to the APIs introduced in 5.0.0-alpha.X. These releases are safe for production use and ‘alpha’ strictly signals that we’re still experimenting with some new APIs. If you’re eager for the fixes or features below, please upgrade.
https://square.github.io/okhttp/changelogs/changelog/#version-500-alpha7

Note: The AWS SDK for Kotlin does not use any new APIs from 5.0.0-alpha.X, only pre-existing APIs which are considered stable and supported for production use.

If you are not willing to upgrade your OkHttp version to alpha, then you will need to explore alternate solutions such as dependency shading. Here is a GitHub issue where we've discussed this option in the past. It may be useful if you decide to go this route: awslabs/aws-sdk-kotlin#765 (comment)

[jasinmelb]

We are trying to use the latest Stripe SDK, https://github.com/stripe/stripe-terminal-android/releases which has a dependancy of stable OKHttp lib. We need to use the new version to fix a Stripe bug but are now blocked from upgrading due to the dependancy of the alpha version of the OkHttp lib that aws-auth-cognito is using.

In regard to:

For our knowledge, does the Stripe SDK crash if OkHttp is allowed to resolve to the v5-alpha version?
Yes the stripe sdk crashes.

[vincetran]

@jasinmelb Unfortunately there isn't much we can do from our side right now due to our dependency on AWS Kotlin SDK. Have you tried to look at alternate solutions like what was mentioned above: awslabs/aws-sdk-kotlin#765 (comment)

[lauzadis]

I'm happy to share that we've implemented a workaround to this problem. The latest release of smithy-kotlin (v1.3.9) contains an OkHttp4Engine which depends on OkHttp 4.x instead of 5.0.0-alpha.X.

Take a look at the module's README, give it a try, and let us know if you have any problems!

[vincetran]

That's awesome! Thanks for the update @lauzadis! For those affected, please try that solution and let us know how it goes for you.

[vincetran]

Hm actually looking a little further into the solution, it looks like there's additional work for Amplify to support this. Let me discuss this with the team.

[JGerdes]

@vincetran Can you share the outcome of the discussion with the team or whether there already is a rough timeline when to expect a release adding support for the OkHttp4Engine option?

[vincetran]

Hi all, sorry for the late reply. While we do agree that this is something we want to support, we're running a bit stretched right now. We cannot commit to any specific timeline for adding this but we will absolutely keep this issue up-to-date when we have a better idea.