search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.42k stars 2.12k forks source link

Add support for custom identityPoolEndpoint #13445

Open madCodes opened 4 months ago

madCodes commented 4 months ago

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

Other

Environment information

``` # Put output below this line ```

Describe the bug

I have importing existing Cognito resource using amplify cli and set up authentication using react-ui package in nextjs. Everything runs smooth, but i need to change the domain which amplify cli uses for auth calls like fetchAuthSession. I have added custom domain to cognito using amazon web console and tried to pull cloud changes hoping to see "oauth": {"domain":"my-custom-domain.com"}. It never synced. I forcefully updated while setting Amplify.configure like below.

amplifyconfig.oauth.domain = "auth.mydomain.com";

Amplify.configure(amplifyconfig, {
  ssr: false,
});

No matter what i do, the amplify sdk always hit "cognito-identity.us-east-1.amazonaws.com" domain. Not sure, what am i missing here. Thanks.

Expected behavior

Hit my custom domain for all the amplify auth calls

Reproduction steps

Import existing cognito without custom domain i nto amplify. Set the custom domain outside amplify, may be on aws web console. Try configuring custom domain in the amplify

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

madCodes commented 4 months ago

@cwomack Were you able to reproduce this? Let me know if you need any further details. This is a show stopper for us as we need to run our app in a restricted environment where only my app domains are whitelisted and people are not able to login because amplify sdk hits *.amazonaws.com domains.

cwomack commented 3 months ago

@madCodes, appreciate your patience with my response. While we support custom user pool endpoints, we do not currently provide any input for custom domains using identity pools with Amplify. We've marked this as a feature request and will review it internally.

cwomack commented 3 months ago

Following up on this further, @madCodes. Would using Custom User Pool endpoints work for your use case instead? I may have misunderstood the intent within this issue, but based on the related Discord thread I'm wondering if this Custom User Pool endpoints would work instead. These docs aren't very detailed, but the userPoolEndpoint docs may help here to see that it's an available option in the CognitoUserPoolConfig interface.

madCodes commented 3 months ago

@cwomack We are open to any solution which will avoid amplify auth hitting aws domains.If i understand correctly, i should pass "auth.mydomain.com" to userPoolEndpoint field? Sorry, but could you please help on how to pass this ? Currently i configure amplify as below.

import amplifyconfig from "@/amplifyconfiguration.json";
Amplify.configure(amplifyconfig);

Content of the amplifyconfiguration.json is as follows.

{ "aws_project_region": "us-east-1", "aws_cognito_region": "us-east-1", "aws_user_pools_id": "us-east-1_XXXXXX", "aws_user_pools_web_client_id": "1gc2XXXXXX", "oauth": { "domain": "auth.mydomain.com" }, "aws_cognito_username_attributes": ["EMAIL"], "aws_cognito_social_providers": [], "aws_cognito_signup_attributes": ["EMAIL"], "aws_cognito_mfa_configuration": "OFF", "aws_cognito_mfa_types": [], "aws_cognito_password_protection_settings": { "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [] }, "aws_cognito_verification_mechanisms": ["EMAIL"] }

israx commented 3 months ago

Hello @madCodes. Amplify makes API requests to both user-pool and identity-pool Cognito endpoints. Bellow I added more context for both.

  1. Override default user-pool endpoint, e.g. https://cognito-idp

You need to configure a custom endpoint via the Cognito console and configuring Amplify as follows:

Auth: {
    Cognito: {
      userPoolId: "xxxxxx",
      userPoolClientId: "xxxxx",
      identityPoolId: "xxxx",
      userPoolEndpoint:'endpoint', 
 }
}
  1. Override default identity-pool endpoint, e.g.
    https://cognito-identity

Unfortunately Amplify doesn't support overriding the default identity-pool endpoint

Neuroforge commented 2 months ago

This is so painful. I managed to get the signIn request working after upgrading from v5 -> v6 and then it failed when fetching the session. Is there any way to patch this?

Can anyone point me to the code where i can try and fix this? This is needed if we want to get the session data when working with something like LocalStack. (amplify-localstack isn't much better)

I am using this method to get the access/id tokens for Auth headers on API calls. Is there another way to get them for the logged in user so that they can make authenticated calls and refresh the tokens (if needed).

jglee96 commented 2 months ago

Could be related with #13025, #13552

Neuroforge commented 2 months ago

Could be related with #13552

Oh man! This is just sitting there. Are there any ways to get his moving forward?

https://github.com/aws-amplify/amplify-js/pull/13552

cwomack commented 1 month ago

@Neuroforge, @jglee96, and @madCodes

Just wanted to ping you all to say that we are indeed tracking the PR for this feature in #13552 and that will be further reviewed/worked on once we get the bug resolved that is detailed within #13650.