OAuth configuration block missing from amplifyconfiguration.json when Cognito User Pool is not enabled

[brandonmaul]

Before opening, please confirm:

• I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• I have searched for duplicate or closed issues.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

curl

If applicable, what version of Node.js are you using?

18.9.0

Amplify CLI Version

10.2.2

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

In the Cognito User Pool that was imported into Amplify, I unchecked the "Cognito User Pool" option under Enabled Identity Providers, and kept the federated SAML "azuread" provider enabled. This was done for both the native app client and the web app client.

Amplify Categories

auth, api

Amplify Commands

pull

Describe the bug

I am working on an iOS native app with this Amplify instance. When doing an amplify pull after saving the changes mentioned above, the amplifyconfiguration.json file is missing the required OAuth block (under the auth/plugins/awsCognitoAuthPlug/Auth/Default object in the JSON) for signIn/signOut to work. I have to manually add it in for the SDK to function properly.

The block in question:

"OAuth": {
    "WebDomain": "xxxxx.auth.us-east-1.amazoncognito.com",
    "AppClientId": "xxxxxxxxxx",
    "AppClientSecret": "xxxxxxxxxx",
    "SignInRedirectURI": "xxxxxxxxxx",
    "SignOutRedirectURI": "xxxxxxxxxx",
    "Scopes": [
        "email",
        "openid"
        ...
    ]
},

If I re-enable the Cognito User Pool in the "Enabled Identity Providers", and then do an amplify pull the OAuth block is generated as expected.

Expected behavior

The OAuth block above should be added to the amplifyconfiguration.json file when any Identity Provider is enabled, and the Cognito User Pool shouldn't be required to product this OAuth block in the configuration.

Reproduction steps

1. Make a Amplify instance with Authentication
2. Add another identity provider (ex: I was using AAD via SAML)
3. Disable the Cognito User Pool for the list of Enabled Identity Providers under the "App Client Settings in the cognito user pool", and keep the other Identity Provider enabled.
4. Try making an iOS app (Haven't tested with other amplify SDKs) and do an amplify pull to load the configuration.
5. View the amplifyconfiguration.json file - it won't have the OAuth block required to do an Amplify.Auth.signInWithWebUI(...) and Amplify.Auth.signOut(...)

GraphQL schema(s)

N/A

Project Identifier

N/A

Log output

N/A

Additional information

No response

[ykethan]

Hey @brandonmaul, thank you for reaching out. Wanted to get some additional information.

Make a Amplify instance with Authentication

Is the Cognito resource added as via the Amplify CLI using amplify add auth or via amplify import auth?
If the resource was added via add amplify import auth and changes were made on the console after the resource was added, we will need to remove the auth and re-import the resource.

Using a React app and Amplify CLI, I was unable to reproduce this, it would be great if you provide me additional information. please feel free in adding screenshots to the reproduction steps as this would enable us to create a similar environment.

[brandonmaul]

@ykethan hi! Thanks for the reply.

We imported the cognito resource using 'amplify import auth'

However, after removing the auth and re-importing, the behaviour still persisted

[ykethan]

Hey @brandonmaul, On diving deeper and trying to reproduce the issue, here are my observations as follows.

1. Created a Cognito user pool on the AWS console.
2. Created a provider using SAML.
3. modified the App Client with both user pool and SAML providers.
4. Created a application and ran amplify pull.
   Observed the following in the amplifyconfiguration/aws-exports file.

"oauth": {
        "domain": "xyzabc.us-east-1.amazoncognito.com",
        "scope": [
            "aws.cognito.signin.user.admin",
            "com.test/email",
            "com.test/profile"
        ],
        "redirectSignIn": "https://localhost:3000/",
        "redirectSignOut": "https://localhost:3000/",
        "responseType": "code"
    },

5. Modified the AppClient and with only SAML provider. Then ran amplify pull.
   Observed the following the amplifyconfiguration/aws-exports file.

"oauth": {
        "domain": "xyzabc.auth.us-east-1.amazoncognito.com"
    },

Does this align with what you are experiencing?

If not, could you provide us additional information into the reproduction steps containing Cognito configuration on the AWS console and Screenshot(or the contents) of the amplifyconfiguration.json.
If the content contains sensitive information, please feel free in emailing us the information at [email protected]

[ykethan]

Hey @brandonmaul , following up on this behaviour. Please do let us know if you require any assistance.

[ykethan]

closing the issue due to inactivity. please do reach out to us again, we would be happy in assisting you.

[Nayanigaonkar]

I am facing the same issue can anyone help me?

[ykethan]

@Nayanigaonkar this is feature request on imported auth resource when using custom auth providers and is currently being tracked here: #10932

if this is not your use case, could you open a new issue using the bug template.

[tech-team-rural-mda]

5. Modified the AppClient and with only SAML provider. Then ran `amplify pull`.
   Observed the following the amplifyconfiguration/aws-exports file.

amplifyconfiguration.json and aws-exports.js have completely different formats. There is plenty of documentation about OAuth configuration in aws-exports.js (old), but I have yet to find any info about the equivalent schema for OAuth configuration in amplifyconfiguration.json (new). I only know from trial and error that the following is NOT applicable for amplifyconfiguration.json :

    "Auth": {
        "domain": "COGNITO_DOMAIN",
        "clientId": "USER_POOL_CLIENT_ID",
        "identityPoolId": "IDENTITY_POOL_ID",
        "identityPoolRegion": "REGION",
        "region": "REGION",
        "userPoolId": "USER_POOL_ID",
        "userPoolWebClientId": "USER_POOL_CLIENT_ID",
        "oauth": {
            "domain": "COGNITO_DOMAIN",
            "scope": [ "openid" ],
            "redirectSignIn": "COGNITO_REDIRECT_SIGNIN_URL",
            "redirectSignOut": "COGNITO_REDIRECT_SIGNOUT_URL",
            "responseType": "code"
        }
    }

... where is the NEW documentation on passing Federated/OAuth provider info to the Authenticator component in the Amplify v6+?

[dancingfrog]

import amplifyconfig from './amplifyconfiguration.json';
import aws_config from './aws-exports';

Amplify.configure(amplifyconfig);
Amplify.configure({
    // TODO: Why is this so ridiculous and how can these options be
    //       specified exclusively in amplifyconfiguration.json ???
    ...Amplify.getConfig(),
    Auth: {
        ...Amplify.getConfig().Auth!,
        Cognito: {
            ...Amplify.getConfig().Auth!.Cognito!,
            ...aws_config.Auth,
            loginWith: {
                ...Amplify.getConfig().Auth!.Cognito!.loginWith!,
                oauth: {
                    ...Amplify.getConfig().Auth!.Cognito!.loginWith!.oauth!,
                    ...aws_config.Auth.oauth,
                    redirectSignIn: [
                        aws_config.Auth.oauth.redirectSignIn
                    ],
                    redirectSignOut: [
                        aws_config.Auth.oauth.redirectSignOut
                    ],
                    responseType: (aws_config.Auth.oauth.responseType as "code"),
                    scopes: [
                        ...aws_config.Auth.oauth.scope
                    ]
                },
                username: true,
            },
            userPoolClientId: aws_config.Auth.clientId
        }
    }
});

[tech-team-rural-mda]

@dancingfrog

Yes, that works. Thanks!

[astroanu]

import amplifyconfig from './amplifyconfiguration.json';
import aws_config from './aws-exports';

Amplify.configure(amplifyconfig);
Amplify.configure({
    // TODO: Why is this so ridiculous and how can these options be
    //       specified exclusively in amplifyconfiguration.json ???
    ...Amplify.getConfig(),
    Auth: {
        ...Amplify.getConfig().Auth!,
        Cognito: {
            ...Amplify.getConfig().Auth!.Cognito!,
            ...aws_config.Auth,
            loginWith: {
                ...Amplify.getConfig().Auth!.Cognito!.loginWith!,
                oauth: {
                    ...Amplify.getConfig().Auth!.Cognito!.loginWith!.oauth!,
                    ...aws_config.Auth.oauth,
                    redirectSignIn: [
                        aws_config.Auth.oauth.redirectSignIn
                    ],
                    redirectSignOut: [
                        aws_config.Auth.oauth.redirectSignOut
                    ],
                    responseType: (aws_config.Auth.oauth.responseType as "code"),
                    scopes: [
                        ...aws_config.Auth.oauth.scope
                    ]
                },
                username: true,
            },
            userPoolClientId: aws_config.Auth.clientId
        }
    }
});

Where's the documentation for converting a config file from v5 to v6 ? of course this works but it's so ugly and ridiculous.

[dancingfrog]

… no docs found. The above snippet was produced by trial and error.