Guest identity handling inconsistent with auth flow: throws errors instead of regenerating identities

[MarekBodingerBA]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

No response

Backend

None

Environment information

  System:
    OS: Windows 11 10.0.26100
    CPU: (22) x64 Intel(R) Core(TM) Ultra 9 185H
    Memory: 4.04 GB / 31.43 GB
  Binaries:
    Node: 20.9.0 - ~\AppData\Local\Volta\tools\image\node\20.9.0\node.EXE
    Yarn: 4.9.1-git.20250411.hash-1908ee79f - ~\AppData\Local\Volta\tools\image\yarn\4.9.1\bin\yarn.CMD
    npm: 10.8.1 - ~\AppData\Local\Volta\tools\image\npm\10.8.1\bin\npm.CMD
    pnpm: 10.10.0 - C:\Program Files\Volta\pnpm.EXE
  Browsers:
    Edge: Chromium (131.0.2903.70)
  npmPackages:
    @ampproject/toolbox-optimizer:  undefined ()
    @aws-amplify/adapter-nextjs: 1.6.2 => 1.6.2 
    @aws-amplify/adapter-nextjs/api:  undefined ()
    @aws-amplify/adapter-nextjs/data:  undefined ()
    @babel/core:  undefined ()
    @babel/runtime:  7.22.5 
    @edge-runtime/cookies:  6.0.0 
    @edge-runtime/ponyfill:  4.0.0 
    @edge-runtime/primitives:  6.0.0
    @grafana/faro-core: ^1.17.1 => 1.17.1
    @grafana/faro-web-sdk: ^1.17.1 => 1.17.1
    @graphql-codegen/cli: 5.0.5 => 5.0.5
    @graphql-codegen/client-preset: 4.7.0 => 4.7.0
    @graphql-codegen/typescript-graphql-request: 6.2.0 => 6.2.0
    @hapi/accept:  undefined ()
    @hookform/resolvers: ^2.9.10 => 2.9.11
    @hookform/resolvers/ajv:  1.0.0
    @hookform/resolvers/class-validator:  1.0.0
    @hookform/resolvers/computed-types:  1.0.0
    @hookform/resolvers/io-ts:  1.0.0
    @hookform/resolvers/joi:  1.0.0
    @hookform/resolvers/nope:  1.0.0
    @hookform/resolvers/superstruct:  1.0.0
    @hookform/resolvers/typanion:  1.0.0
    @hookform/resolvers/vest:  1.0.0
    @hookform/resolvers/yup:  1.0.0
    @hookform/resolvers/zod:  1.0.0
    @iframe-resizer/child: ^5.3.2 => 5.3.2
    @iframe-resizer/react: ^5.3.2 => 5.3.2
    @internationalized/date: 3.8.0 => 3.8.0
    @jest/globals: ^29.7.0 => 29.7.0
    @monaco-editor/react: ^4.7.0 => 4.7.0
    @mswjs/interceptors:  undefined ()
    @napi-rs/triples:  undefined ()
    @next/bundle-analyzer: 15.3.1 => 15.3.1
    @next/font:  undefined ()
    @opentelemetry/api:  undefined ()
    @radix-ui/react-dropdown-menu: 2.1.12 => 2.1.12
    @radix-ui/react-navigation-menu: 1.2.10 => 1.2.10
    @react-aria/utils: 3.28.2 => 3.28.2
    @react-stately/utils: 3.10.6 => 3.10.6
    @rjsf/core: 5.24.9 => 5.24.9
    @rjsf/utils: 5.24.9 => 5.24.9
    @rjsf/validator-ajv8: 5.24.9 => 5.24.9
    @svgr/webpack: 8.1.0 => 8.1.0
    @tailwindcss/postcss: 4.1.4 => 4.1.4
    @tanstack/eslint-plugin-query: 5.73.3 => 5.73.3
    @tanstack/query-codemods:  undefined ()
    @tanstack/react-query: 5.74.4 => 5.74.4
    @testing-library/jest-dom: ^6.6.3 => 6.6.3
    @testing-library/react: ^16.3.0 => 16.3.0
    @types/js-cookie: ^3.0.6 => 3.0.6
    @types/lodash: 4.17.16 => 4.17.16
    @types/mime-types: ^2.1.4 => 2.1.4
    @types/node: 22.14.1 => 22.14.1
    @types/qs: ^6.9.18 => 6.9.18
    @types/react: 19.1.2 => 19.1.2
    @types/react-beforeunload: ^2.1.5 => 2.1.5
    @types/react-dom: 19.1.2 => 19.1.2
    @types/uuid: ^10.0.0 => 10.0.0 (9.0.8)
    @typescript-eslint/eslint-plugin: 7.2.0 => 7.2.0
    @typescript-eslint/parser: 7.2.0 => 7.2.0
    @typescript/vfs:  undefined ()
    @vercel/nft:  undefined ()
    @vercel/og:  0.6.8
    acorn:  undefined ()
    ajv: 8.17.1 => 8.17.1 (6.12.6)
    ajv-formats: 3.0.1 => 3.0.1 (2.1.1)
    amphtml-validator:  undefined ()
    anser:  undefined ()
    assert:  undefined ()
    async-retry:  undefined ()
    async-sema:  undefined ()
    aws-amplify: 6.14.4 => 6.14.4
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/adapter-core/internals:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/internals:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    axios: 1.8.4 => 1.8.4
    babel-packages:  undefined ()
    browserify-zlib:  undefined ()
    browserslist:  undefined ()
    buffer:  undefined ()
    bytes:  undefined ()
    ci-info:  undefined ()
    cli-select:  undefined ()
    client-only:  0.0.1
    clsx: 2.1.1 => 2.1.1
    commander:  undefined ()
    comment-json:  undefined ()
    compression:  undefined ()
    conf:  undefined ()
    constants-browserify:  undefined ()
    content-disposition:  undefined ()
    content-type:  undefined ()
    cookie:  undefined ()
    copy-webpack-plugin: ^13.0.0 => 13.0.0
    cross-env: ^7.0.3 => 7.0.3
    cross-spawn:  undefined ()
    crypto-browserify:  undefined ()
    css.escape:  undefined ()
    data-uri-to-buffer:  undefined ()
    debug:  undefined ()
    devalue:  undefined ()
    domain-browser:  undefined ()
    edge-runtime:  undefined ()
    eslint: 8.57.0 => 8.57.0
    eslint-config-adjunct: 4.13.0 => 4.13.0
    eslint-config-airbnb: 19.0.4 => 19.0.4
    eslint-config-airbnb-typescript: 18.0.0 => 18.0.0
    eslint-config-auto: 0.9.0 => 0.9.0
    eslint-config-next: 15.3.1 => 15.3.1
    eslint-config-prettier: 10.1.2 => 10.1.2
    eslint-plugin-array-func: 5.0.1 => 5.0.1
    eslint-plugin-const-case: 1.2.2 => 1.2.2
    eslint-plugin-eslint-comments: 3.2.0 => 3.2.0
    eslint-plugin-html: 8.0.0 => 8.0.0
    eslint-plugin-import: 2.29.1 => 2.29.1 (2.31.0)
    eslint-plugin-jest: 27.9.0 => 27.9.0
    eslint-plugin-jest-async: 1.0.3 => 1.0.3
    eslint-plugin-jest-dom: ^5.5.0 => 5.5.0
    eslint-plugin-json: 3.1.0 => 3.1.0
    eslint-plugin-lodash: 7.4.0 => 7.4.0
    eslint-plugin-lodash-fp: 2.2.0-a1 => 2.2.0a1
    eslint-plugin-markdown: 4.0.1 => 4.0.1
    eslint-plugin-no-constructor-bind: 2.0.4 => 2.0.4
    eslint-plugin-no-secrets: 0.8.9 => 0.8.9
    eslint-plugin-no-unsanitized: 4.0.2 => 4.0.2
    eslint-plugin-no-use-extend-native: 0.5.0 => 0.5.0
    eslint-plugin-optimize-regex: 1.2.1 => 1.2.1
    eslint-plugin-pii: 1.0.2 => 1.0.2
    eslint-plugin-prettier: 5.1.3 => 5.1.3
    eslint-plugin-promise: 6.1.1 => 6.1.1
    eslint-plugin-react-hooks: 4.6.0 => 4.6.0 (5.1.0)
    eslint-plugin-scanjs-rules: 0.2.1 => 0.2.1
    eslint-plugin-security: 2.1.1 => 2.1.1
    eslint-plugin-simple-import-sort: 12.0.0 => 12.0.0
    eslint-plugin-sonarjs: 0.24.0 => 0.24.0
    eslint-plugin-switch-case: 1.1.2 => 1.1.2
    eslint-plugin-testing-library: 6.2.0 => 6.2.0
    eslint-plugin-unicorn: 51.0.1 => 51.0.1
    eslint-plugin-xss: 0.1.12 => 0.1.12
    events:  undefined ()
    find-up:  undefined ()
    focus-trap-react: ^11.0.3 => 11.0.3
    forms-shared: file:../forms-shared => 1.0.0
    fresh:  undefined ()
    glob:  undefined ()
    graphql: 16.10.0 => 16.10.0 (15.8.0)
    graphql-request: 6.1.0 => 6.1.0
    graphql-tag: 2.12.6 => 2.12.6
    gzip-size:  undefined ()
    http-proxy:  undefined ()
    http-proxy-agent:  undefined ()
    https-browserify:  undefined ()
    https-proxy-agent:  undefined ()
    i18next: 25.0.2 => 25.0.2
    icss-utils:  undefined ()
    ignore-loader:  undefined ()
    image-size:  undefined ()
    is-animated:  undefined ()
    is-docker:  undefined ()
    is-wsl:  undefined ()
    jest: ^29.7.0 => 29.7.0
    jest-environment-jsdom: ^29.7.0 => 29.7.0
    jest-worker:  undefined ()
    js-cookie: ^3.0.5 => 3.0.5
    json5:  undefined ()
    jsonwebtoken:  undefined ()
    loader-runner:  undefined ()
    loader-utils:  undefined ()
    lodash: 4.17.21 => 4.17.21
    lodash.curry:  undefined ()
    lru-cache:  undefined ()
    memoize-one: ^6.0.0 => 6.0.0
    mime-types: ^3.0.1 => 3.0.1 (2.1.35)
    mini-css-extract-plugin:  undefined ()
    nanoid:  undefined ()
    native-url:  undefined ()
    neo-async:  undefined ()
    next: 15.3.1 => 15.3.1
    next-i18next: 15.4.2 => 15.4.2
    next-i18next-create-client:  undefined ()
    next-plausible: ^3.12.4 => 3.12.4
    node-html-parser:  undefined ()
    nuqs: 2.4.3 => 2.4.3
    openapi-clients: file:../openapi-clients => 1.0.0
    ora:  undefined ()
    os-browserify:  undefined ()
    p-limit:  undefined ()
    p-queue:  undefined ()
    patch-package: ^8.0.0 => 8.0.0
    path-browserify:  undefined ()
    path-to-regexp:  undefined ()
    picomatch:  undefined ()
    pino: ^9.6.0 => 9.6.0
    pino-pretty: ^13.0.0 => 13.0.0
    postcss: 8.5.3 => 8.5.3 (8.4.31)
    postcss-flexbugs-fixes:  undefined ()
    postcss-modules-extract-imports:  undefined ()
    postcss-modules-local-by-default:  undefined ()
    postcss-modules-scope:  undefined ()
    postcss-modules-values:  undefined ()
    postcss-preset-env:  undefined ()
    postcss-safe-parser:  undefined ()
    postcss-scss:  undefined ()
    postcss-value-parser:  undefined ()
    pre-commit: ^1.2.2 => 1.2.2
    prettier: 3.5.3 => 3.5.3
    prettier-plugin-tailwindcss: 0.6.11 => 0.6.11
    pretty-bytes: ^6.1.1 => 6.1.1
    process:  undefined ()
    punycode:  undefined ()
    qs: ^6.14.0 => 6.14.0
    querystring-es3:  undefined ()
    raw-body:  undefined ()
    react: 19.1.0 => 19.1.0
    react-aria: 3.39.0 => 3.39.0
    react-aria-components: 1.8.0 => 1.8.0
    react-beforeunload: ^2.6.0 => 2.6.0
    react-builtin:  undefined ()
    react-dom: 19.1.0 => 19.1.0
    react-dom-builtin:  undefined ()
    react-dom-experimental-builtin:  undefined ()
    react-experimental-builtin:  undefined ()
    react-hook-form: ^7.56.1 => 7.56.1
    react-i18next: 15.5.1 => 15.5.1
    react-is:  19.2.0-canary-3fbfb9ba-20250409
    react-loading-skeleton: ^3.5.0 => 3.5.0
    react-markdown: ^10.1.0 => 10.1.0
    react-refresh:  0.12.0
    react-resize-detector: ^12.0.2 => 12.0.2
    react-select: 5.10.1 => 5.10.1
    react-server-dom-turbopack-builtin:  undefined ()
    react-server-dom-turbopack-experimental-builtin:  undefined ()
    react-server-dom-webpack-builtin:  undefined ()
    react-server-dom-webpack-experimental-builtin:  undefined ()
    react-simple-snackbar: ^1.1.11 => 1.1.11
    react-stately: 3.37.0 => 3.37.0
    react-turnstile: ^1.1.4 => 1.1.4
    react-usestateref: ^1.0.9 => 1.0.9
    regenerator-runtime:  0.13.4
    rehype-raw: ^7.0.0 => 7.0.0
    rehype-sanitize: ^6.0.0 => 6.0.0
    remark-directive: ^4.0.0 => 4.0.0
    remark-directive-rehype: ^0.4.2 => 0.4.2
    remark-gfm: ^4.0.1 => 4.0.1
    remark-supersub: ^1.0.0 => 1.0.0
    rooks: 8.0.1 => 8.0.1
    sass-loader:  undefined ()
    scheduler-builtin:  undefined ()
    scheduler-experimental-builtin:  undefined ()
    schema-utils:  undefined ()
    semver:  undefined ()
    send:  undefined ()
    server-only:  0.0.1
    setimmediate:  undefined ()
    shell-quote:  undefined ()
    slugify: ^1.6.6 => 1.6.6
    source-map:  undefined ()
    source-map08:  undefined ()
    stacktrace-parser:  undefined ()
    stream-browserify:  undefined ()
    stream-http:  undefined ()
    string-hash:  undefined ()
    string_decoder:  undefined ()
    strip-ansi:  undefined ()
    superstruct:  undefined ()
    tailwind-merge: 3.2.0 => 3.2.0
    tailwind-scrollbar-hide: 1.1.7 => 1.1.7
    tailwindcss: 4.1.4 => 4.1.4
    tar:  undefined ()
    terser:  undefined ()
    text-table:  undefined ()
    timers-browserify:  undefined ()
    transport:  0.0.1
    ts-node: 10.9.2 => 10.9.2
    tty-browserify:  undefined ()
    typescript: 5.8.3 => 5.8.3
    ua-parser-js:  undefined ()
    unistore:  undefined ()
    usehooks-ts: 2.16.0 => 2.16.0
    util:  undefined ()
    uuid: ^11.1.0 => 11.1.0 (9.0.1)
    vm-browserify:  undefined ()
    watchpack:  undefined ()
    web-vitals:  undefined ()
    webpack:  undefined ()
    webpack-sources:  undefined ()
    ws:  undefined ()
    yet-another-react-lightbox: ^3.23.0 => 3.23.0
    zod:  undefined ()
    zod-validation-error:  undefined ()
  npmGlobalPackages:
    corepack: 0.20.0
    npm: 10.1.0

Describe the bug

This is a follow-up to the previously fixed issue regarding inconsistent identity source between server and client components (#14256).

When using Amplify JS with guest identities enabled in a Next.js application, we've identified several critical issues with guest identity management:

1. After a user signs in, both authenticated user cookies and guest identity cookies remain in the browser. This causes two problematic scenarios:

   • When the user refreshes the page or navigates to another page, the server properly removes the guest identity
   • However, if the user immediately signs out, the guest cookie remains in the browser cookies

2. On subsequent page loads, fetchAuthSession throws NotAuthorizedException: Access to Identity 'eu-central-1:xxxx' is forbidden because the guest identity ID is paired with an authenticated user and cannot be accessed via guest credentials.

3. We're seeing hundreds of users encountering NotAuthorizedException errors in our logs, which strongly suggests that the immediate sign-in/sign-out flow is not the only way users end up with invalid guest identity cookies. It happened to me personally without performing the sign-in/sign-out flow, suggesting there are other paths that lead to this invalid state. AWS should examine how these scenarios occur, as it's implausible that hundreds of users all performed the immediate sign-in/sign-out sequence.

Expected behavior

1. The client should immediately remove guest identity after sign-in, ensuring clean transitions between guest and authenticated states.

2. The guest workflow should act consistently with the auth workflow: When I manually change an auth token like CognitoIdentityServiceProvider.xxxxxxxxxxxxxxxxxxxx.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.idToken to a nonsense value, fetchAuthSession doesn't throw an error but treats the user as signed out. Similarly, for invalid guest identities, it should generate a new guest identity ID rather than throwing exceptions.

Reproduction steps

1. Clone the reproduction repository from the previous issue: https://github.com/MarekBodingerBA/amplify-js-guest-identity-bug
2. Update the dependencies to the latest versions
3. Run the Next.js application
4. Visit the homepage as a guest user (this will create a guest identity)
5. Sign in (this step will need to be added to the example - it's not in the original reproduction repo)
6. Immediately sign out without refreshing or navigation
7. Reload the page
8. Observe the server error caused by NotAuthorizedException when attempting to use the existing guest identity

Code Snippet

No response

Log output

⨯ NotAuthorizedException: Access to Identity 'eu-central-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden.
    at async operation
> |         const authSession = await fetchAuthSession(contextSpec)

// Alternative error:
ResourceNotFoundException: Identity 'eu-central-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' not found.

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

There appear to be multiple scenarios leading to these errors:

1. Immediate sign-in/sign-out scenario described above
2. Users who previously visited the site before guest access was enabled
3. Legacy cookies persisting after authentication state changes

The main issue is that unlike authentication tokens (where invalid tokens simply result in treating the user as signed out), invalid guest identity tokens cause exceptions that break server components using runWithAmplifyServerContext.

Important: Even if you fix only the issue with clients not removing guest cookies after sign-in, we will still encounter numerous errors because many users already have migrated or invalid guest identity IDs in their cookies. (We would need to force removal of their cookies somehow before interacting with Amplify). The behavioral inconsistency between auth and guest workflows is the root cause that needs addressing.

For a complete solution, we need:

1. Client-side removal of guest identity immediately after sign-in
2. Most critically: Graceful handling of invalid guest identities by generating new ones instead of throwing errors - just like the auth flow behaves with invalid tokens

This would ensure consistency between the authentication and guest identity workflows, preventing 500 errors that our users are currently experiencing.

Reproduction screenshots from our site:

1. Pre sign-in, user has generated guest identity:
   

2. Post sign-in, user has both auth and guest identity cookies:
   

a) Scenario 1: User signs out immediatelly, this leads to auth cookies removal, but guest cookies stay, fetchAuthSession throws an NotAuthorizedException:

b) Scenario 2: User visits another page, or refreshes the page, the guest cookie is correctly removed:

[MarekBodingerBA]

Probably a change like this is required:
MarekBodingerBA@0894c60

[nadetastic]

HI @MarekBodingerBA thank you for opening this issue. Im working on reproducing this issue and will provide an update soon, in the meantime let me know if you have any additional info to share.

[HuiSF]

Hi @MarekBodingerBA thanks for the follow up. Re:

However, if the user immediately signs out, the guest cookie remains in the browser cookies

I couldn't reproduce this particular behavior on my end using the codebase you provided with adding calls of signIn and signOut. This is what I observed:

1. configure Amplify with ssr: true
2. access the home page, a guest identityId generated and stored in cookie store
3. calling signIn, the guest identityId remained in cookie store aside auth token cookies
4. calling signOut right after calling signIn without any other operations, the guest identityId and other auth tokens were all removed from cookie store
5. refresh home page, a new guest identityId was generated and stored in cookie store

From investigating the source code, after signing in, the guest identityId is expected to be removed after the first call of fetchAuthSession. But yes, it makes sense to me, that the guest identityId should be removed with along with a successful signing in.