Social Sign In Redirect Error when there are multiple redirect_sign_in_uris and redirect_sign_out_uris

[concavegit]

Before creating a new issue, please confirm:

• [x] I have searched for duplicate or closed issues.
• [x] I have read the guide for submitting bug reports.

Which UI component?

Authenticator

Gradle script dependencies

amplifyVersion = "2.27.3"
amplifyAuthenticatorVersion = "1.4.2"

Environment information

# Put output below this line
------------------------------------------------------------
Gradle 8.11.1
------------------------------------------------------------

Build time:    2024-11-20 16:56:46 UTC
Revision:      481cb05a490e0ef9f8620f7873b83bd8a72e7c39

Kotlin:        2.0.20
Groovy:        3.0.22
Ant:           Apache Ant(TM) version 1.10.14 compiled on August 16 2023
Launcher JVM:  17.0.4 (Amazon.com Inc. 17.0.4+8-LTS)
Daemon JVM:    /Library/Java/JavaVirtualMachines/amazon-corretto-17.jdk/Contents/Home (no JDK specified, using current Java home)
OS:            Mac OS X 15.4.1 aarch64

Please include any relevant guides or documentation you're referencing

https://docs.amplify.aws/android/build-a-backend/auth/connect-your-frontend/sign-in/

Describe the bug

I am setting up Sign In with Google on my Android app with AWS Amplify Gen 2. However, clicking the sign in with google button shows the below error:

This is the url that the sign in view opened

https://<domain>.auth.us-west-2.amazoncognito.com/error?error=redirect_mismatch&client_id=<client_id>

This issue is identical to this closed issue from 2019. That issue focuses on the case where the user has two redirct uris: myapp:// and localhost. In my case, this issue happens even if the other redirect URI is not localhost.

Reproduction steps (if applicable)

1. Set up an Amplify project with social sign in and multiple redirect URIs in auth

export const auth = defineAuth({
  loginWith: {
    email: true,
    externalProviders: {
      signInWithApple: {
      google: {
        clientId: secret("GOOGLE_CLIENT_ID"),
        clientSecret: secret("GOOGLE_CLIENT_SECRET"),
        attributeMapping: {
          email: ProviderAttribute.GOOGLE_EMAIL.attributeName,
          fullname: ProviderAttribute.GOOGLE_NAME.attributeName,
          givenName: ProviderAttribute.GOOGLE_GIVEN_NAME.attributeName,
          profilePicture: ProviderAttribute.GOOGLE_PICTURE.attributeName,
        },
        scopes: ["email", "profile"],
      },
      callbackUrls: [
        "myapp://callback/",
        "http://localhost:5173/",
      ],
      logoutUrls: [
        "myapp://signout/",
        "http://localhost:5173/",
      ],
    },
  },
});

2. The usual Amplify Gen 2 android setup
3. Add a Google Sign In button

                Authenticator(
                    footerContent = {
                        GoogleSignInButton( // I defined the google sign in button to be a button that does the below onClick
                            onClick = {
                                // Sign in with Google using Amplify
                                Amplify.Auth.signInWithSocialWebUI(
                                    AuthProvider.google(),
                                    this,
                                    { Log.i("AuthQuickstart", "Sign in OK: $it") },
                                    { Log.e("AuthQuickstart", "Sign in failed", it) }
                                )
                            },
                            modifier = Modifier.padding(16.dp)
                        )
                    }
                ) { state ->
                    HomeScreen(state)
                }

4. Deploy the app and try clicking the sign in with google button. This will bring up the error screenshot I previously pasted.
5. Remove the localhost or any redirect URL from the auth/resource.ts that is not the local myapp url, and the social sign in works again.

Code Snippet

Included in reproduction steps

Log output

The authenticator component does not log anything that happens in the web interface.

The error URL is

https://<domain>.auth.us-west-2.amazoncognito.com/error?error=redirect_mismatch&client_id=<client_id>

amplifyconfiguration.json

No response

Additional information and screenshots

My app has an existing Swift and React web interface, both social sign in works. Only Android has this issue with social sign in.

[tylerjroach]

Can you provide your amplify_outputs.json file? I'm curious to see the order. Amplify Android wills elect the first url in the redirect and sign out uri list.

[concavegit]

Sure! I've attached it here. The myapp URIs are first, but I'll try putting those URIs last when I am back at my machine and update you

amplify_outputs.json

[concavegit]

Update: putting the myapp:// redirects at the end did not work either

[tylerjroach]

What if you leave only 1 value for redirect_sign_in_uri with the one you are trying to use?

[concavegit]

If I leave only kanai://callback then my sign in works. If I add any of the others as a second redirect URL, I get the same redirect error

[tylerjroach]

https://github.com/aws-amplify/amplify-android/blob/a63c2b9f08054f17bf4cbba261fe067cd71abe6d/aws-auth-cognito/src/main/java/com/amplifyframework/auth/cognito/AuthConfiguration.kt#L156

It looks like joining the redirects may be bad behavior here. For now, only keep a single redirect uri in the amplify_outputs.json you provide in your Android app. We will take a look at what the correct behavior may be here.

[mattcreaser]

This is an issue with the core Amplify Auth library so I'm transferring it to the appropriate repository for better visibility/tracking.

[tylerjroach]

Amplify 2.29.2 has been released. We will now select the first available, non http(s) redirect uri in the list.

[github-actions[bot]]

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.