[BUG] amplify import auth - imported cognito user pool - aws-exports.js missing oauth values

[bubai2000]

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

20.11.0

Amplify CLI Version

12.10.1

What operating system are you using?

Windows 11

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No Manual Changes

Describe the bug

We tried setting up custom user pool for authentication which has a federated identity provider(Microsoft). When we ran amplify import auth, it only imported oauth domain name and missed other parameters like sign in URL, sign out URL, Provider name etc. As I understand written here https://docs.amplify.aws/javascript/build-a-backend/auth/import-existing-resources/ we need to have valid sign out URL in the hosted UI and also no client secret generated, we have all of those marks checked on our side. So, for now we have no way other than hardcoding the values in the json manually We also discovered an issue already reported years ago here #10932 but seems there was no further development regarding the same. Can we get some insights on how can we address this issue? Thanks!

Expected behavior

aws-exports.js should contain all the oauth properties generated.

Reproduction steps

Similar to #10932

Project Identifier

c37ce404d7b0fcf7ea7086458f945ebf

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

Hey @bubai2000, was the cognito resource updated on the console after the resource was imported into amplify?
If the sign_out url has been configured, could you try unlinking the auth resource using amplify remove auth and re-importing the auth amplify import auth and push.

[bubai2000]

Hi @ykethan, we tried re-importing but it still does not work. For now, we are hardcoding the Auth object in Amplify.configure. Thanks.

[bubai2000]

Hi @ykethan, would like to add an observation here. We tried adding Google as a identity provider in the user pool and added that to the app client also. After that we ran the import auth. This time all the details were populated except Providers array, but "aws_cognito_social_providers" was populated with Google. We tried running signInWithRedirect with provider = {custom: 'Microsoft'} and it redirected it Microsoft OAuth landing page properly, also provider = {custom: ''} would open the congnito hosted UI. But then we tried removing the Google provider from the app client only and then re imported auth. This time again no details were populated except OAuth domain. So, as we understand we there is a pseudo-requirement as of now to set up at least one first class supported federated provider (Google, Facebook, Amazon, Apple) to properly import OAuth settings. Please try to emulate the same from your side and if it is current behavior we would recommend to solve this because there might be requirements to setup OAuth support without these first class supported OAuth providers. Thanks.

[ykethan]

Hey @bubai2000, thank you for the information. I was not able to reproduce the behaviour in my environment.
reproduction steps:

1. Created a new Cognito user pool
2. added 2 providers
   
3. created app client
   
4. ran amplify import auth and observed

{
  "aws_project_region": "us-east-1",
  "aws_cognito_region": "us-east-1",
  "aws_user_pools_id": "us-east-1_<>",
  "aws_user_pools_web_client_id": "<>",
  "oauth": {
    "domain": "<>.auth.us-east-1.amazoncognito.com",
    "scope": [
      "email",
      "openid",
      "phone",
      "profile"
    ],
    "redirectSignIn": "https://localhost:3000",
    "redirectSignOut": "https://localhost:3000",
    "responseType": "code"
  },
  "federationTarget": "COGNITO_USER_POOLS",
  "aws_cognito_username_attributes": [
    "EMAIL"
  ],
  "aws_cognito_social_providers": [
    "GOOGLE",
    "AMAZON"
  ],
  "aws_cognito_signup_attributes": [
    "EMAIL"
  ],
  "aws_cognito_mfa_configuration": "OFF",
  "aws_cognito_mfa_types": [],
  "aws_cognito_password_protection_settings": {
    "passwordPolicyMinLength": 8,
    "passwordPolicyCharacters": [
      "REQUIRES_LOWERCASE",
      "REQUIRES_UPPERCASE",
      "REQUIRES_NUMBERS",
      "REQUIRES_SYMBOLS"
    ]
  },
  "aws_cognito_verification_mechanisms": [
    "EMAIL"
  ]
}

From comment: #10932 (comment)
Amplify cli currently does not support Custom Identity providers . The supported providers are:
'COGNITO', 'Facebook', 'Google', 'LoginWithAmazon', 'SignInWithApple'

[bubai2000]

Hi @ykethan thank you for taking your valuable time to assess the problem. As I already said, if any of the providers between 'Facebook', 'Google', 'LoginWithAmazon', 'SignInWithApple' is present in cognito client(along with Microsoft), then OAuth config is imported properly, but if the client is only provided a provider that does not belong to the "supported provider" (e.g. only Microsoft) then the OAuth config is not getting imported properly from user pool. We currently provided the client both Google and Microsoft but on the redirectSignIn function we are providing provider name as Microsoft. This solved our problem as of now. But it would be great if we can remove dependency over these "supported provider". Thanks :)

[ykethan]

@bubai2000 thank you for the feedback and passing this to the team.
Closing the issue to track #10932 (comment)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.