Skip to content

fix(auth): handle custom Cognito domains without appending regional suffix #3024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 20, 2025
Merged

fix(auth): handle custom Cognito domains without appending regional suffix #3024

merged 6 commits into from
Oct 20, 2025

Conversation

@9pace
Copy link
Contributor

@9pace 9pace commented Oct 20, 2025

Problem

When using imported Cognito resources in Amplify Gen2 with SSO enabled, login redirects were broken because the initializer Lambda unconditionally appended .auth.{region}.amazoncognito.com to the OAuth domain.
This caused malformed redirect URLs when a custom domain was already set in the Cognito User Pool (e.g., auth.dev.example.comauth.dev.example.com.auth.us-east-1.amazoncognito.com).

Issue number, if available: #2991

Changes

  • Updated getUserPoolOutputs logic so that:
    • If a custom domain is provided, it is used as-is.
    • Otherwise, fallback to Cognito-managed domain ({domain}.auth.{region}.amazoncognito.com).
  • Ensures fullDomainPath is properly constructed in both scenarios.
    This fixes the malformed OAuth redirect URLs when signing in via SSO providers (e.g., Google).

Validation

  • Manually tested with imported Cognito resources and a custom domain (auth.dev.example.com) → redirect now works correctly.
  • Verified fallback behavior with Cognito-managed domains continues to work.
  • Confirmed still detects Google as an IdP and completes the sign-in flow.

Checklist

  • If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.
  • If this PR requires a change to the Project Architecture README, I have included that update in this PR.
  • If this PR requires a docs update, I have linked to that docs PR above.
  • If this PR modifies E2E tests, makes changes to resource provisioning, or makes SDK calls, I have run the PR checks with the run-e2e label set.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

sotolucas and others added 4 commits September 27, 2025 21:47
@sotolucas
fix(auth): handle custom Cognito domains without appending regional s…
233ebcf 
…uffix

Ensure fullDomainPath uses the custom domain as-is when provided,
falling back to the Cognito-managed domain construction only if
no custom domain exists. This resolves malformed OAuth redirect
URLs when using imported Cognito resources with SSO.
@sotolucas
Merge branch 'main' into fix/cognito-custom-domain-redirect
d96c34a
@9pace
test: add unit tests for custom domain and cognito-managed domain OAu…
7ad0164 
…th scenarios

- Add test for custom domain with external login providers
- Add test for cognito-managed domain with external login providers
- Verify oauthCognitoDomain is correctly set for both scenarios
@9pace
chore: add empty changeset for test-only changes
b4ace06
@9pace 9pace requested a review from a team as a code owner October 20, 2025 20:28
@changeset-bot
Copy link

changeset-bot bot commented Oct 20, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 588096b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@aws-amplify/backend-auth Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

ShadowCat567
ShadowCat567 reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@ShadowCat567 ShadowCat567 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks good! Make sure to merge main into this branch to update it

.changeset/honest-chairs-rescue.md Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since you have another change set file, you should be able to remove this one

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done ty!

@9pace 9pace mentioned this pull request Oct 20, 2025
Closed
4 tasks
@9pace 9pace merged commit a13d72d into main Oct 20, 2025
52 checks passed
@9pace 9pace deleted the fix/cognito-custom-domain-redirect branch October 20, 2025 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShadowCat567 ShadowCat567 ShadowCat567 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@9pace @ShadowCat567 @sotolucas