Trying to login with SSO using imported Cognito resources and custom domain redirects to a non-existing Cognito domain

[sotolucas]

Environment information

System:
  OS: Windows 11 10.0.26100
  CPU: (20) x64 13th Gen Intel(R) Core(TM) i7-13650HX
  Memory: 10.84 GB / 31.71 GB
Binaries:
  Node: 22.16.0 - C:\Program Files\nodejs\node.EXE
  Yarn: undefined - undefined
  npm: 10.9.2 - C:\Program Files\nodejs\npm.CMD
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.8.1
  @aws-amplify/backend: 1.16.1
  @aws-amplify/backend-ai: Not Found
  @aws-amplify/backend-auth: 1.7.1
  @aws-amplify/backend-cli: 1.8.0
  @aws-amplify/backend-data: 1.6.1
  @aws-amplify/backend-deployer: 2.1.3
  @aws-amplify/backend-function: 1.14.1
  @aws-amplify/backend-output-schemas: 1.7.0
  @aws-amplify/backend-output-storage: 1.3.1
  @aws-amplify/backend-secret: 1.4.0
  @aws-amplify/backend-storage: 1.4.1
  @aws-amplify/cli-core: 2.2.1
  @aws-amplify/client-config: 1.8.0
  @aws-amplify/data-construct: 1.16.3
  @aws-amplify/data-schema: 1.21.1
  @aws-amplify/deployed-backend-client: 1.8.0
  @aws-amplify/form-generator: 1.2.1
  @aws-amplify/model-generator: 1.2.0
  @aws-amplify/platform-core: 1.10.0
  @aws-amplify/plugin-types: 1.11.0
  @aws-amplify/sandbox: 2.1.2
  @aws-amplify/schema-generator: 1.4.0
  @aws-cdk/toolkit-lib: 1.1.1
  aws-amplify: 6.15.5
  aws-cdk-lib: 2.210.0
  typescript: 5.9.2
No AWS environment variables
No CDK environment variables

Describe the bug

Trying to login with SSO whenever I'm using imported existing Cognito resources on my Gen2 project, it will redirect to a non-existing Cognito domain, I suspect, due to a malformated constant.

IMHO, the logic fix (I've already tested it and it works properly) would be to modify the reference auth initializer Lambda function code that retrieves the information from the Cognito resources to make fullDomainPath conditionally take two values similar to the following snippet:

const oauthDomain = userPool.CustomDomain ?? userPool.Domain ?? '';

const fullDomainPath = userPool.CustomDomain
  // If a custom domain is provided, use it directly
  ? userPool.CustomDomain
  // Otherwise, use the original Cognito-style construction
  : `${oauthDomain}.auth.${region}.amazoncognito.com`;

@awsluja @rtpascual I'd really appreciate your opinion on this topic. Of course I can ellaborate a PR with this fix if you agree with the solution proposed here.

Reproduction steps

• Followed the steps provided in the documentation to import Cognito resources. Everything seems fine, I can even use the <Authenticator> component without issues with e-mail sign in and without further configurations the component is able to detect that the client has Google enabled.

• When SSO is enabled with, for example Google, SignInWithRedirect and hosted UI is required. Of course the hosted UI is in place, enabled and tested for that specific client.
• Whenever you want to sign in with Google you should be redirected to the custom domain I've set in my user pool (in this case auth.dev.example.com), but instead I'm being redirected to https://auth.dev.example.com.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Flogin&response_type=code&client_id=XXX&identity_provider=Google&scope=aws.cognito.signin.user.admin+email+openid+phone+profile&state=XXX&code_challenge=XXX&code_challenge_method=S256.
• If we take a look at the amplify_outputs.json, the auth block looks like this:

  "auth": {
    "user_pool_id": "us-east-XXX",
    "aws_region": "us-east-1",
    "user_pool_client_id": "XXX",
    "identity_pool_id": "us-east-1:XXX",
    "mfa_methods": [
      "TOTP"
    ],
    "standard_required_attributes": [
      "sub"
    ],
    "username_attributes": [
      "email"
    ],
    "user_verification_types": [
      "email"
    ],
    "mfa_configuration": "OPTIONAL",
    "password_policy": {
      "min_length": 10,
      "require_lowercase": true,
      "require_numbers": true,
      "require_symbols": true,
      "require_uppercase": true
    },
    "oauth": {
      "identity_providers": [
        "GOOGLE"
      ],
      "redirect_sign_in_uri": [
        "http://localhost:3000/login",
        "https://dev.example.com/login"
      ],
      "redirect_sign_out_uri": [
        "http://localhost:3000/login",
        "https://dev.example.com/login"
      ],
      "response_type": "code",
      "scopes": [
        "aws.cognito.signin.user.admin",
        "email",
        "openid",
        "phone",
        "profile"
      ],
      "domain": "auth.dev.example.com.auth.us-east-1.amazoncognito.com"
    },
    "unauthenticated_identities_enabled": true
  },

[pahud]

Hi @sotolucas,

Thank you for the detailed bug report and analysis.

The problem seems to be in the getUserPoolOutputs method where the code unconditionally appends .auth.{region}.amazoncognito.com to all domains, including custom domains that should be used as-is.

Your proposed solution correctly handles both scenarios:

• Custom domains: Use directly without modification
• Cognito-managed domains: Append the regional suffix

This fix would resolve the malformed OAuth redirect URLs you're experiencing. We appreciate you testing the solution and confirming it works properly.

As a temporary workaround, you might consider using Cognito-managed domains until this fix is implemented, though we understand this may not meet your requirements.

Thank you for helping improve Amplify Gen2!

[sotolucas]

Hey @pahud !

Thanks for your taking a look at the issue.

I've just created a PR and I'd appreciate your help approving the workflows so I can test and make sure the changes are OK.

By the way, I'm not sure if this fix needs a changeset.

Best regards,
Lucas.