fix(auth): handle custom Cognito domains without appending regional suffix

sotolucas · sotolucas · commit 233ebcf4c73d · 2025-09-27T21:47:18.000-03:00
Ensure fullDomainPath uses the custom domain as-is when provided,
falling back to the Cognito-managed domain construction only if
no custom domain exists. This resolves malformed OAuth redirect
URLs when using imported Cognito resources with SSO.
diff --git a/packages/backend-auth/src/lambda/reference_auth_initializer.ts b/packages/backend-auth/src/lambda/reference_auth_initializer.ts
@@ -459,7 +459,9 @@ export class ReferenceAuthInitializer {
 
     // domain
     const oauthDomain = userPool.CustomDomain ?? userPool.Domain ?? '';
-    const fullDomainPath = `${oauthDomain}.auth.${region}.amazoncognito.com`;
+    const fullDomainPath = userPool.CustomDomain
+      ? userPool.CustomDomain
+      : `${oauthDomain}.auth.${region}.amazoncognito.com`;
     const data = {
       signupAttributes: JSON.stringify(
         userPool.SchemaAttributes?.filter(
