Auth.signInWithWebUI with AuthProvider.custom redirect URI issue

[alegos27]

Description

When using Amplify's signInWithWebUI(provider: AuthProvider.custom(provider)) function with a custom provider, the WebUI does not return to the application after a successful third-party login. Instead, it navigates to the Cognito authentication base URL and shows an error message: "Something went wrong. Please try again." Closing the WebView manually leaves no authenticated session in Amplify. This issue is unique to custom providers since the same flow with social logins, such as signInWithWebUI(provider: AuthProvider.google), works correctly using identical configurations.

Categories

• [ ] Analytics
• [ ] API (REST)
• [ ] API (GraphQL)
• [X] Auth
• [ ] Authenticator
• [ ] DataStore
• [ ] Notifications (Push)
• [ ] Storage

Steps to Reproduce

1.) Amplify Configuration and Init

Use this configuration:

final String amplifyConfig = '''
{
  "UserAgent": "aws-amplify-cli/2.0",
  "Version": "1.0",
  "auth": {
      "plugins": {
          "awsCognitoAuthPlugin": {
              "IdentityManager": {
                  "Default": {}
              },
              "CognitoUserPool": {
                  "Default": {
                      "PoolId": "${Env().cognitoPoolId}",
                      "AppClientId": "${Env().cognitoAppClientId}",
                      "Region": "${Env().awsRegion}"
                  }
              },
              "Auth": {
                  "Default": {
                      "authenticationFlowType": "CUSTOM_AUTH",
                      "OAuth": {
                          "WebDomain": "${Env().cognitoAuthDomain}",
                          "AppClientId": "${Env().cognitoAppClientId}",
                          "SignInRedirectURI": "myapp://",
                          "SignOutRedirectURI": "myapp://",
                          "Scopes": [ 
                              "phone",
                              "email",
                              "openid",
                              "profile",
                              "aws.cognito.signin.user.admin"
                          ]
                      }
                  }
              }
          }
      }
  }
}
''';

Init Amplify in main.dart:

await Amplify.addPlugin(AmplifyAuthCognito());
await Amplify.configure(amplifyConfig);

2.) Call signInWithWebUI function:
Use the following function to initiate a sign-in with a third-party provider via Amplify's WebUI:

final result = await Amplify.Auth.signInWithWebUI(
   provider: AuthProvider.custom(provider),
   options: const SignInWithWebUIOptions(
     pluginOptions: CognitoSignInWithWebUIPluginOptions(
       isPreferPrivateSession: true,
     ),
   ),
);

3.) Complete the Third-Party Authentication:

• In the WebUI that appears, log in using the selected third-party provider credentials.

4.) Observe the Redirection:

• Instead of redirecting to the application, the WebView directs to the Cognito authentication base URL.
• In the WebView, there is an error message: "Something went wrong. Please try again."

5.) Close the WebView:

• If you close the WebUI manually, you'll notice that no authenticated session is established in Amplify.
• On Android Console: D/AmplifyAuthCognitoPlugin( 5776): [cancelCurrentOperation] Canceling with state: signInResult=com.amazonaws.amplify.amplify_auth_cognito.AtomicResult@4dde50c, signOutResult=null

Screenshots

Platforms

• [X] iOS
• [X] Android
• [ ] Web
• [ ] macOS
• [ ] Windows
• [ ] Linux

Flutter Version

3.19.6

Amplify Flutter Version

2.0.0

Deployment Method

Custom Pipeline

Schema

No response

[khatruong2009]

Hi @alegos27, we will look into this issue and get back to you with any updates.

[khatruong2009]

Hi @alegos27, in the first two screenshots, are you using the AuthProvider.google and showing that it is working? Or are all 3 screenshots part of a single unsuccessful sign in flow? Are you using AuthProvider.custom for your Google sign ins? Can you give us some more details on your custom auth provider?

[alegos27]

Hi @khatruong2009, the first two screenshots show AuthProvider.custom, but used with Google as the SSO authenticator. We encounter the same issue with other providers like Azure. So, all three screenshots depict a single unsuccessful sign-in flow. When we use Google SignIn with AuthProvider.google, it works seamlessly, as it does with Apple and Facebook; the sign-in flow, including redirects, works correctly. We're using the Cognito identity provider as a custom SSO auth provider, leveraging SAML or OIDC (90% SAML) for corporate authentication systems that have their own provider. We also try using AuthProvider.saml() but with the same result. If you need more details, feel free to ask.

[NikaHsn]

@alegos27 thank you for providing these details. we will look into this issue and get back to you with any updates.

[NikaHsn]

@alegos27 in the amplify configuration I noticed that you are using "authenticationFlowType": "CUSTOM_AUTH", would you please confirm that you are using sign-in with custom auth flow with AWS Lambda triggers?

[alegos27]

@NikaHsn Yes, I can confirm that we are using a custom authentication flow with AWS Lambda triggers in the auth flow with email (Amplify.Auth.signIn). However, for the Amplify.Auth.signInWithWebUI function, we are not using the custom authentication flow. Instead, we use identity providers configured in Cognito as you can see in the screenshots above.

[NikaHsn]

@alegos27 thank you for providing these details. we will look into this and get back to you with any updates.

[dagovalsusa]

same issue here, any updates? Thanks

[Equartey]

Hi @dagovalsusa, no updates yet. We still need to reproduce this. We will update when we have more information.

[dagovalsusa]

Thank you @Equartey But, maybe cognito configuration (Server side) is wrong or not compatible with signInWithWebUI flow? Because I tried to use oauth2 REST API flow (https://docs.aws.amazon.com/it_it/cognito/latest/developerguide/token-endpoint.html), and it is ok, I receive id_token, access and refresh. So, meanwhile that you will try to reproduce this case, I can have a way to set inside Amplify plugin the tokens get? I've also tried with Amplify.Auth.getPlugin(AmplifyAuthCognito.pluginKey).federateToIdentityPool(token: response.data["access_token"], provider: AuthProvider.custom(provider)) where access_token is get from oauth2 rest api flow, but doesn't work with response error

InvalidAccountTypeException {
  "message": "No identity pool registered for this account",
  "recoverySuggestion": "Register an identity pool using the CLI"
}

[Jordan-Nelson]

@dagovalsusa - There is no way to manually set the tokens. There is a feature request for this (https://github.com/aws-amplify/amplify-flutter/issues/593) but it is not something that is in the roadmap.

[dagovalsusa]

I have identified the root cause of the problem. The Cognito authentication for SSO fails when using a custom domain instead of the default Cognito domain. Specifically, if we do not use the domain format xxxxxx.eu-west-1.amazoncognito.com, the login process fails even when using just the browser.

@alegos27, could you please check this on your side as well?

Thank you!

[alegos27]

@dagovalsusa that solution works! Thanks!

[Equartey]

@dagovalsusa thanks for providing that context. We'll investigate how to best address this and update yall here.

[khatruong2009]

Hi @alegos27, are you returning to the same Hosted UI URL that the request was initiated from? Did the request start on the custom domain and also return to that same custom domain?

[Jordan-Nelson]

@alegos27 and @dagovalsusa - if you are still facing this issue can you please see the question above? Thanks.

[dagovalsusa]

Hi @khatruong2009, I think so. Our configuration is simply a custom domain before the cognito domain xxxxxx.eu-west-1.amazoncognito.com But, the returnig url is our app scheme (example app://)

[khatruong2009]

Hi @dagovalsusa, the redirect to the app scheme looks fine, that shouldn't be an issue. Could you provide a HAR file so that we can debug and see if the redirect is being changed inadvertently somewhere along the line? Thanks.