From 233ebcf4c73db25fc103934a0f3cea8cea352a41 Mon Sep 17 00:00:00 2001 From: Lucas Leonardo Soto Date: Sat, 27 Sep 2025 21:47:18 -0300 Subject: [PATCH 1/5] fix(auth): handle custom Cognito domains without appending regional suffix Ensure fullDomainPath uses the custom domain as-is when provided, falling back to the Cognito-managed domain construction only if no custom domain exists. This resolves malformed OAuth redirect URLs when using imported Cognito resources with SSO. --- .../backend-auth/src/lambda/reference_auth_initializer.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/backend-auth/src/lambda/reference_auth_initializer.ts b/packages/backend-auth/src/lambda/reference_auth_initializer.ts index 29e9aa18c3a..f25e0c4ec0a 100644 --- a/packages/backend-auth/src/lambda/reference_auth_initializer.ts +++ b/packages/backend-auth/src/lambda/reference_auth_initializer.ts @@ -459,7 +459,9 @@ export class ReferenceAuthInitializer { // domain const oauthDomain = userPool.CustomDomain ?? userPool.Domain ?? ''; - const fullDomainPath = `${oauthDomain}.auth.${region}.amazoncognito.com`; + const fullDomainPath = userPool.CustomDomain + ? userPool.CustomDomain + : `${oauthDomain}.auth.${region}.amazoncognito.com`; const data = { signupAttributes: JSON.stringify( userPool.SchemaAttributes?.filter( From 7ad0164cebb6ef0a52e3a69ab883ac42781a7c0c Mon Sep 17 00:00:00 2001 From: 9pace Date: Mon, 20 Oct 2025 16:19:00 -0400 Subject: [PATCH 2/5] test: add unit tests for custom domain and cognito-managed domain OAuth scenarios - Add test for custom domain with external login providers - Add test for cognito-managed domain with external login providers - Verify oauthCognitoDomain is correctly set for both scenarios --- .../lambda/reference_auth_initializer.test.ts | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/packages/backend-auth/src/lambda/reference_auth_initializer.test.ts b/packages/backend-auth/src/lambda/reference_auth_initializer.test.ts index a2b9dba597f..c429ed83caf 100644 --- a/packages/backend-auth/src/lambda/reference_auth_initializer.test.ts +++ b/packages/backend-auth/src/lambda/reference_auth_initializer.test.ts @@ -311,6 +311,38 @@ void describe('ReferenceAuthInitializer', () => { ); }); + void it('handles custom domain with external login providers', async () => { + describeUserPoolResponse = { + ...httpSuccess, + UserPool: { + ...UserPool, + CustomDomain: 'auth.dev.example.com', + }, + }; + const result = await handler.handleEvent(createCfnEvent); + assert.strictEqual(result.Status, 'SUCCESS'); + assert.ok(result.Data); + assert.strictEqual(result.Data.oauthCognitoDomain, 'auth.dev.example.com'); + }); + + void it('handles cognito-managed domain with external login providers', async () => { + describeUserPoolResponse = { + ...httpSuccess, + UserPool: { + ...UserPool, + CustomDomain: undefined, + Domain: 'ref-auth-userpool-1', + }, + }; + const result = await handler.handleEvent(createCfnEvent); + assert.strictEqual(result.Status, 'SUCCESS'); + assert.ok(result.Data); + assert.strictEqual( + result.Data.oauthCognitoDomain, + 'ref-auth-userpool-1.auth.us-east-1.amazoncognito.com', + ); + }); + void it('throws if user pool group is not found', async () => { listGroupsResponse = { ...httpSuccess, From b4ace06de6182078b0da7ce2932ddd0b63e33837 Mon Sep 17 00:00:00 2001 From: 9pace Date: Mon, 20 Oct 2025 16:21:26 -0400 Subject: [PATCH 3/5] chore: add empty changeset for test-only changes --- .changeset/honest-chairs-rescue.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .changeset/honest-chairs-rescue.md diff --git a/.changeset/honest-chairs-rescue.md b/.changeset/honest-chairs-rescue.md new file mode 100644 index 00000000000..a845151cc84 --- /dev/null +++ b/.changeset/honest-chairs-rescue.md @@ -0,0 +1,2 @@ +--- +--- From dddd919bd5f285bbf54ab237b4b5f7b412316420 Mon Sep 17 00:00:00 2001 From: 9pace Date: Mon, 20 Oct 2025 16:39:32 -0400 Subject: [PATCH 4/5] chore: add changeset for test additions --- .changeset/eighty-feet-go.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/eighty-feet-go.md diff --git a/.changeset/eighty-feet-go.md b/.changeset/eighty-feet-go.md new file mode 100644 index 00000000000..aad4be62f3d --- /dev/null +++ b/.changeset/eighty-feet-go.md @@ -0,0 +1,5 @@ +--- +'@aws-amplify/backend-auth': patch +--- + +Add unit tests for custom domain and cognito-managed domain OAuth scenarios From 588096bbae7b53536ec4b20c54682fe9e3d3f101 Mon Sep 17 00:00:00 2001 From: 9pace Date: Mon, 20 Oct 2025 17:01:09 -0400 Subject: [PATCH 5/5] chore: removed extra changeset file --- .changeset/honest-chairs-rescue.md | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 .changeset/honest-chairs-rescue.md diff --git a/.changeset/honest-chairs-rescue.md b/.changeset/honest-chairs-rescue.md deleted file mode 100644 index a845151cc84..00000000000 --- a/.changeset/honest-chairs-rescue.md +++ /dev/null @@ -1,2 +0,0 @@ ---- ----