search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.8k stars 819 forks source link

updating auth's `hostedUIProviderMeta` does not update auth as expected #12910

Open maziarzamani opened 1 year ago

maziarzamani commented 1 year ago

Is this feature request related to a new or existing Amplify category?

auth

Is this related to another service?

Cognito

Describe the feature you'd like to request

Hi there.

I was wondering if there is a programmatically way to setup Attribute Mapping for SSO login (Google and Apple).

I am specifically attempting to map, firstName, lastName and birthdate if they are available.

As far as I can see it is possible to do manually in Cognito Console?

Thanks.

Skærmbillede 2023-07-06 kl 16 18 15

Describe the solution you'd like

A programatic way to enable these attributes with the CLI

Describe alternatives you've considered

Manually adding them via the console.

Additional context

No response

Is this something that you'd be interested in working on?

Would this feature include a breaking change?

josefaidt commented 1 year ago

Hey @maziarzamani :wave: thanks for raising this! These attributes can be mapped in an auth override https://docs.amplify.aws/cli/auth/override/#customize-amplify-generated-cognito-auth-resources-with-social-providers

maziarzamani commented 1 year ago

Hey @maziarzamani 👋 thanks for raising this! These attributes can be mapped in an auth override https://docs.amplify.aws/cli/auth/override/#customize-amplify-generated-cognito-auth-resources-with-social-providers

I actually forgot to mention this in the post, but I attempted using the override.ts file and adding the resource manually, however I ran into an issue which is that this override removes "domain" information on the Cognito endpoint, which seems to have a domino effect on the aws-export file which does not refer to the correct endpoint if set manually. This is not ideal :-/

josefaidt commented 1 year ago

Hey @maziarzamani ahh that makes sense. Are you encountering an issue where modifying a value in the override does not also override the value in aws-exports? Or is this a case where the override is effectively breaking aws-exports?

maziarzamani commented 1 year ago

Hey @maziarzamani ahh that makes sense. Are you encountering an issue where modifying a value in the override does not also override the value in aws-exports? Or is this a case where the override is effectively breaking aws-exports?

So this is what happens:

a. If i enable Google login through amplify cli, the custom domain is also generated and aws-export is as it should be b. If i enable Google login through the override.ts, the custom domain is obviously not created as I have to do this manually, furthermore the aws-export is scrambled with a. random endpoint.

josefaidt commented 1 year ago

Hey @maziarzamani thanks for clarifying! Unfortunately configuring this through overrides will not produce the expected output in aws-exports.js, and it would instead be advised to capture these outputs manually using a post-push command hook and write to this file or another file that your frontend has access to read.

Can you try writing this in amplify/backend/auth/<resource-name>/cli-inputs.json in the hostedUIProviderMeta property? Apologies for the confusion

"hostedUIProviderMeta": "[{\"ProviderName\":\"Facebook\",\"authorize_scopes\":\"email,public_profile\",\"AttributeMapping\":{\"email\":\"email\",\"username\":\"id\"}}]",
maziarzamani commented 1 year ago

Hey @maziarzamani thanks for clarifying! Unfortunately configuring this through overrides will not produce the expected output in aws-exports.js, and it would instead be advised to capture these outputs manually using a post-push command hook and write to this file or another file that your frontend has access to read.

Can you try writing this in amplify/backend/auth/<resource-name>/cli-inputs.json in the hostedUIProviderMeta property? Apologies for the confusion

"hostedUIProviderMeta": "[{\"ProviderName\":\"Facebook\",\"authorize_scopes\":\"email,public_profile\",\"AttributeMapping\":{\"email\":\"email\",\"username\":\"id\"}}]",

I tried to add given_name and family_name which basically triggered an update, but it did not change attribute mapping on the SSO. This seems a bit odd?

"hostedUIProviderMeta": "[{\"ProviderName\": \"Google\", \"authorize_scopes\": \"openid email profile\", \"AttributeMapping\": {\"email\": \"email\", \"username\": \"sub\", \"given_name\": \"given_name\", \"family_name\": \"family_name\"}}]",

Skærmbillede 2023-07-18 kl 09 32 13
maziarzamani commented 11 months ago

Hey @maziarzamani thanks for clarifying! Unfortunately configuring this through overrides will not produce the expected output in aws-exports.js, and it would instead be advised to capture these outputs manually using a post-push command hook and write to this file or another file that your frontend has access to read.

Can you try writing this in amplify/backend/auth/<resource-name>/cli-inputs.json in the hostedUIProviderMeta property? Apologies for the confusion

"hostedUIProviderMeta": "[{\"ProviderName\":\"Facebook\",\"authorize_scopes\":\"email,public_profile\",\"AttributeMapping\":{\"email\":\"email\",\"username\":\"id\"}}]",

I tried this, but it didn't change anything..

josefaidt commented 10 months ago

Hey @maziarzamani :wave: apologies for the delay on this one! I have found that if you push the changes to attribute mapping after you've added a provider or removed a provider, it will cause the Lambda callout to fire and update the social providers with the new attribute mapping. This is suitable as a workaround, but please keep in mind subsequent amplify update auth executions may overwrite this attribute mapping.

Marking this as investigating

maziarzamani commented 10 months ago

Hey @maziarzamani 👋 apologies for the delay on this one! I have found that if you push the changes to attribute mapping after you've added a provider or removed a provider, it will cause the Lambda callout to fire and update the social providers with the new attribute mapping. This is suitable as a workaround, but please keep in mind subsequent amplify update auth executions may overwrite this attribute mapping.

Marking this as investigating

Yeah this is clearly the problem I ran into :-/

josefaidt commented 9 months ago

Marking as a bug to address the issue where updating corresponding attributes in auth's cli-inputs.json does not update the social providers (given the custom Lambda callout does not run).

maziarzamani commented 9 months ago

Thank you @josefaidt