Allow creation of new app clients for Cognito Auth

[ykethan]

Is this feature request related to a new or existing Amplify category?

auth

Is this related to another service?

No response

Describe the feature you'd like to request

When creating a new Amplify application with Cognito auth and pushing it will create two app clients. If one of the app clients is removed (such as via the Cognito AWS console) and we perform an update in our Amplify application with changes such as editing redirect URLs, performing an amplify push on the stack fails and enters a broken state where the change won't go through due to the old app client referenced by unique ID no longer existing.

Created in reference to https://github.com/aws-amplify/amplify-cli/issues/4233#issuecomment-629120515

Describe the solution you'd like

Allow options to swap the App clients in Amplify CLI or allow generation of new App clients that swap the existing App client references.

Describe alternatives you've considered

Utilizing Amplify override to swap new App clients generated on console.

Additional context

Cognito doesn't support generating app clients with specific IDs, so the auth resource is broken due to being unable to recreate or reassign that specific app client. This results in needing to delete the entire environment to work around the issue

Is this something that you'd be interested in working on?

• [ ] 👋 I may be able to implement this feature request

Would this feature include a breaking change?

• [ ] ⚠️ This feature might incur a breaking change

[willb0246]

@ykethan was this issue ever fixed? I have run into it and all of the related tickets point to a workaround and this ticket. I am experiencing this issue in a live production app.

[willb0246]

@ykethan to follow up, I created a second app with similar setup and tried to follow this instruction:

If this is the case, you can enable Deletion Protection for Cognito and remove it from your project, then use amplify import auth to import the same User Pool with the newly created client(https://github.com/aws-amplify/amplify-cli/issues/12611#issuecomment-1548244403).

But I run into an error where all of the connected services will be deleted if I run amplify remove auth, such as appsync and I believe RDS and others?

[ykethan]

@willb0246 could you provide us the error message? Removing the auth resource should not delete the GraphQL API or other depending resources

[willb0246]

Yeah absolutely! here is my whole CLI output:

William@MacBook-Pro AthenaLabs-app % amplify remove auth     
⚠️ 
You have configured resources that might depend on this Cognito resource.  Updating this Cognito resource could have unintended side effects.

? Choose the resource you would want to remove athenalabsapp725213f9725213f9

? Are you sure you want to delete the resource? This action deletes all files related to this resource from the backend directory. Yes
🛑 Resource cannot be removed because it has a dependency on another resource
🛑 Dependency: AppSync - athenalabuploads
🛑 An error occurred when removing the resources from the local directory

Looking at it again, it doesn't actually seem to be a 'delete' of AppSync

[ykethan]

Hey @willb0246, thank you for the information. Is this auth resource imported? if no and the user pool was created by Amplify CLI, you will need to remove the auth resource and import the user pool as the app client deleted on the console cannot be recreated using the CLI. There are two main attributes to this,

1. Removing the user pool without deleting the user pool resource. This would require pushing an auth override with following enabling the retain policy

   
   import {
   AmplifyAuthCognitoStackTemplate,
   AmplifyProjectInfo,
   } from "@aws-amplify/cli-extensibility-helper";

export function override( resources: AmplifyAuthCognitoStackTemplate, amplifyProjectInfo: AmplifyProjectInfo ) { // @ts-ignore resources.userPool.applyRemovalPolicy("retain"); }

Could you remove the existing changes by running an `amplify pull` and try pushing with override to enable the removal policy?

2. Removing the resource dependancy.
From the error it appears the GraphQL API currently depends on the auth resource. Which would require an update on the API by removing the authorization mode on `amplify update api` and removing any auth rules utilizing the auth resource.

Once both the resources have been updated you should be able to the run `amplify remove auth` and push. once the auth resource has been unlinked you can import the auth using `amplify import auth` and re-add the auth rules on the API.

[willb0246]

Thank you for this information! This problem is stemming from deleting one of the two auto-generated amplify auth appclients. Should I have re-added a mobile cognito client before I re-import this cognito auth? Or can I leave my cognito userpool with the single web appclient?

[ykethan]

@willb0246 the import flow allows utilizing a single client, but i would suggest creating a new client before importing the auth resource.

[willb0246]

Awesome, so to summarize - in my console I should ensure there are two clients, similar to the way amplity automically generates normally (one without client secret and one with client secret). I should then ensure that delete protection is on my prod userpool. then in my local env I should run amplify remove auth, disconnect any dependent capabilities. Then I should run amplify import auth with that same user pool.

Did I miss anything in that summary?

[ykethan]

yes, recreate the deleted client, set the retain policy to ensuring the user pool is not deleted, remove any resource dependancies, remove the auth resource, re-import the resource .

[moob123]

Can I add additional app clients to the user pool created by amplify without breaking the amplify cli?