amplify-cli
amplify-cli copied to clipboard
aws-amplify
Custom domain support with Cognito
Describe the bug We configured custom domain for cognito hosted UI and when user tries to login it calls both cognito domain (ending up with invalid_grant error) and to custom domain (success response) and sometimes it fails for both of them. When I run "amplify status" it gives Hosted UI endpoints with cognito domain. I tried to update the domain name using "amplify update auth" and it doesn't allow me to update custom domain name. I tried to override auth configurations in my App.js file with custom domain but somehow it still calls both cognito domain and custom domain.
**Screenshots
**
You can turn on the debug mode to provide more info for us by setting window.LOG_LEVEL = 'DEBUG'; in your app.
@venkatesh-kadiyala CLI doesn't have custom domain support as of yet. How did you update your user-pool with your custom domain?
@kaustavghosh06 Updated through console.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html#cognito-user-pools-add-custom-domain-adding
@venkatesh-kadiyala How have you modified your aws_exports.js file? Could we get a snippet of it which would help us debug this issue better?
@kaustavghosh06 Please see below aws_exports.js file. Somehow I solved it by removing cognito domain directly from console. This solved my problem but still the cognito domain is referencing in aws-exports.js. It doesn't allow me to update through amplify CLI. I did update the callback URL's using amplify update auth.
// WARNING: DO NOT EDIT. This file is automatically generated by AWS Amplify. It will be overwritten.
const awsmobile = { "aws_project_region": "us-east-1", "aws_cognito_identity_pool_id": "us-east-1:xxxxxxxxxxxx", "aws_cognito_region": "us-east-1", "aws_user_pools_id": "us-east-1_xxxxxxxxx", "aws_user_pools_web_client_id": "xxxxxxxxxxxxxxxx", "oauth": { "domain": "clips-xxxx-dev.auth.us-east-1.amazoncognito.com", "scope": [ "phone", "email", "openid", "profile", "aws.cognito.signin.user.admin" ], "redirectSignIn": "https://dev.clips.xxxxx.com/", "redirectSignOut": "https://auth.dev.clips.xxxxx.com/login?response_type=code&client_id=4lexxxxxxxxxxxxx&redirect_uri=https://dev.clips.xxxxxx.com/", "responseType": "code" }, "federationTarget": "COGNITO_USER_POOLS", "aws_appsync_graphqlEndpoint": "https://ohpssu4ybjbgtgyxxxxxxxxxxx.appsync-api.us-east-1.amazonaws.com/graphql", "aws_appsync_region": "us-east-1", "aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS", "aws_user_files_s3_bucket": "xxxx-xxxxx-dev", "aws_user_files_s3_bucket_region": "us-east-1", "aws_mobile_analytics_app_id": "4cxxxxxxxxxx", "aws_mobile_analytics_app_region": "us-east-1" };
export default awsmobile;
Vote +1, critical feature for any production app, otherwise would be frown upon by customers if they see Amazon Cognito as domain when clicking google/facebook login
+1 am currently facing the same issue - overwriting the domain in aws-exports when running Amplify.configure() on my react-app based on the environment thats deployed
Any update on this one? What is the best work around for this at the moment?
BR, Kyle
I worked around this by adding something like this:
import config from "./aws-exports";
// Update Cognito Settings
config.oauth.domain = "staging.auth.xxxxx.app";
Amplify.configure(config);
Is there a way to convince amplify of an updated auth domain? It reverts to my old domain any time I amplify push.
I use @kylekirkby's workaround setting the domain from an environment variable and it's working great.
As @devth said it seems to revert even with amplify pull / push, so the best for now is to override.
I ran into this issue by accidentally updating the domain settings in the Cognito UI - unaware it wasn't supported. My aws-exports.js file reverted to this content, and I was unable to continue with development.
{
...,
"oauth: {},
...
}
The env override method didn't work for me, but the following did (Note: this method does not support fully custom domains either).
$ amplify update auth
Please note that certain attributes may not be overwritten if you choose to use defaults settings.
You have configured resources that might depend on this Cognito resource. Updating this Cognito resource could have unintended side effects.
Using service: Cognito, provided by: awscloudformation
What do you want to do? Apply default configuration with Social Provider (Federation)
What domain name prefix do you want to use? my-custom-cognito-domain
Enter your redirect signin URI: <redirect uri>
? Do you want to add another redirect signin URI No
Enter your redirect signout URI: <redirect signout uri>
? Do you want to add another redirect signout URI No
...
$ amplify push
You will now get aws-exports oauth settings that look like:
{
...,
"oauth": {
"domain": "my-custom-cognito-domain-<Amplify ENV>.auth.<Amplify Region>.amazoncognito.com",
"scope": [
"phone",
"email",
"openid",
"profile",
"aws.cognito.signin.user.admin"
],
"redirectSignIn": ...,
"redirectSignOut": ...,
"responseType": "code"
},
...
}
This was able to unblock my development, but its a bandaid solution for sure. Hopefully we can get custom domain support soon.
While Amplify doesn't have support for this yet, the customization that Amplify provides is enough to automate the configuration of the backend resources. I wrote an article about how the configuration can be done to hopefully saves some others time: https://medium.com/@matt.lavin/automating-cognito-custom-auth-domains-with-amplify-33e7b8f13266
I also use @kylekirkby's workaround.
These are the lines which set oauth.domain
https://github.com/aws-amplify/amplify-cli/blob/525deb6ee99a19d1dfb7342342d29730b79d0eba/packages/amplify-frontend-javascript/lib/frontend-config-creator.js#L250-L252
At this stage, we can't tell if HostedUIDomain is a custom domain or not.
So we need to add HostedUICustomDomain: userPool.CustomDomain in amplify-category-auth.
I worked around this by adding something like this:
import config from "./aws-exports"; // Update Cognito Settings config.oauth.domain = "staging.auth.xxxxx.app"; Amplify.configure(config);
Building upon kylekirkby answer: I did this:
import awsConfig from './aws-exports';
const updatedAwsConfig = {
...awsConfig,
oauth: {
...awsConfig.oauth,
domain: "auth.mycustomdomain.com",
redirectSignIn: "https://" + location.hostname + "/singin/redirect/path/",
redirectSignOut: "https://" + location.hostname + "/signout/redirect/path/"
}
}
Amplify.configure(updatedAwsConfig);
Every redirect route must be configured with Amplify. The custom domain must be authorized in Route 53.
This works even if you have multiple websites (dev1, dev2, dev3 ) to redirect to: and amazon only redirects to the correct server. (answering the original question of venkatesh-kadiyala (OP).
It looks like adding a custom domain to the Cognito user pool causes amplify push (let's say with some arbitrary API changes, like adding 1 schema type) to fail with
UPDATE_FAILED
HostedUIProvidersCustomResourceInputs Custom::LambdaCallout
Sat Jun 26 2021 18:24:24 GMT-0400 (Eastern Daylight Time) Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/06/26/[$LATEST]<REDACTED> (RequestId: <REDACTED>)
UPDATE_FAILED
authmytestappc96db3cc
AWS::CloudFormation::Stack Sat Jun 26 2021 18:24:34 GMT-0400 (Eastern Daylight Time) Embedded stack <REDACTED ARN> was not successfully updated. Currently in UPDATE_ROLLBACK_IN_PROGRESS with reason: The following resource(s) failed to update: [HostedUIProvidersCustomResourceInputs].
Anyone else experiencing this?
It looks like adding a custom domain to the Cognito user pool causes
amplify push(let's say with some arbitrary API changes, like adding 1 schema type) to fail withUPDATE_FAILED HostedUIProvidersCustomResourceInputs Custom::LambdaCallout Sat Jun 26 2021 18:24:24 GMT-0400 (Eastern Daylight Time) Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/06/26/[$LATEST]<REDACTED> (RequestId: <REDACTED>) UPDATE_FAILED authmytestappc96db3cc AWS::CloudFormation::Stack Sat Jun 26 2021 18:24:34 GMT-0400 (Eastern Daylight Time) Embedded stack <REDACTED ARN> was not successfully updated. Currently in UPDATE_ROLLBACK_IN_PROGRESS with reason: The following resource(s) failed to update: [HostedUIProvidersCustomResourceInputs].Anyone else experiencing this?
Yes, I'm experiencing this, and I belive I found a solution. weird enough after many tests, I discover that has to be with auth component, ( caused by the amplify code, not because the addition of the custom domain, but triggered by that or other changes directly the resources of the stack ). the root cause is that the configuration of auth becomes corrupted in some way, solution:
>amplify update auth
>... do some small change or reafirm the configuration, for instance: reentering the oauth2 configuration.
>... doesn't have to enter the full configuration.
>amplify push
Now, after doing that I always can do amplify push again. In a recent update (last week) of amplify i belive this problem was solved. current version amplify --version gives me: "5.0.0" , check yours.
Maybe you would like to open a new issue with your question, and referencing this?
I was facing this issue with amplify-flutter package, and @kylekirkby solution worked for me.
For flutter devs, just edit the amplifyconfiguration.dart file.
reassign WebDomain : xxx-staging.auth.amazoncognito.com
with
WebDomain : your_domain.com
It is a temporary fix, it should be fixed soon.
any updates on this? It is almost 1 year earlier request and still pending. I am facing this issue in flutter. For flutter, it generates a amplifyconfiguration.dart file, which is a string export. And every time I make a amplify push, it automatically changes the WebDomain value in this file. so I need to manually go to this file after each push and update the domain with my custom domain. This should be fixed soon, or at least please anyone tell me a workaround for this.
amplifyconfiguration.dart [File which I need to update after each push]
const amplifyconfig = ''' {
"UserAgent": "aws-amplify-cli/2.0",
"Version": "1.0",
"api": {
"plugins": {
"awsAPIPlugin": {
"appnamebackend": {
"endpointType": "GraphQL",
"endpoint": "https://nxxxxxxxxxxxxxe.appsync-api.us-east-2.amazonaws.com/graphql",
"region": "us-east-2",
"authorizationType": "API_KEY",
"apiKey": "dx2-xxxxxxxxxxxxxxxa"
}
}
}
},
"auth": {
"plugins": {
"awsCognitoAuthPlugin": {
"UserAgent": "aws-amplify-cli/0.1.0",
"Version": "0.1.0",
"IdentityManager": {
"Default": {}
},
"AppSync": {
"Default": {
"ApiUrl": "https://xxxxxxxxxxxxxxxxe.appsync-api.us-east-2.amazonaws.com/graphql",
"Region": "us-east-2",
"AuthMode": "API_KEY",
"ApiKey": "dx2-zxxxxxxxxxxxxxaa",
"ClientDatabasePrefix": "appname_API_KEY"
},
"appnamebackend_AWS_IAM": {
"ApiUrl": "https://appname.appsync-api.us-east-2.amazonaws.com/graphql",
"Region": "us-east-2",
"AuthMode": "AWS_IAM",
"ClientDatabasePrefix": "appname_AWS_IAM"
},
"appname_AMAZON_COGNITO_USER_POOLS": {
"ApiUrl": "https://nxxxxxxxxxxxxxxcde.appsync-api.us-east-2.amazonaws.com/graphql",
"Region": "us-east-2",
"AuthMode": "AMAZON_COGNITO_USER_POOLS",
"ClientDatabasePrefix": "appname_AMAZON_COGNITO_USER_POOLS"
}
},
"CredentialsProvider": {
"CognitoIdentity": {
"Default": {
"PoolId": "us-east-2:e1xxxxxxxxxxxxxxx155",
"Region": "us-east-2"
}
}
},
"CognitoUserPool": {
"Default": {
"PoolId": "us-east-2_hYSWWnA6x",
"AppClientId": "98cxxxxxxxxxx0lk64k",
"Region": "us-east-2"
}
},
"Auth": {
"Default": {
"OAuth": {
"WebDomain": "auth.appname.in", // <-------------------------it chages to https://appname-
staging/auth.us.-east-2.amazoncognito.com
"AppClientId": "98cxxxxxxxxxx0lk64k",
"SignInRedirectURI": "appname://",
"SignOutRedirectURI": "appname://",
"Scopes": [
"phone",
"email",
"openid",
"profile",
"aws.cognito.signin.user.admin"
]
},
"authenticationFlowType": "USER_SRP_AUTH",
"loginMechanism": [],
"signupAttributes": [
"EMAIL"
],
"passwordProtectionSettings": {
"passwordPolicyMinLength": 8,
"passwordPolicyCharacters": [
"REQUIRES_LOWERCASE",
"REQUIRES_NUMBERS",
"REQUIRES_SYMBOLS",
"REQUIRES_UPPERCASE"
]
},
"mfaConfiguration": "OFF",
"mfaTypes": [
"SMS"
]
}
},
"S3TransferUtility": {
"Default": {
"Bucket": "appname-staging",
"Region": "us-east-2"
}
}
}
}
},
"storage": {
"plugins": {
"awsS3StoragePlugin": {
"bucket": "appname-staging",
"region": "us-east-2",
"defaultAccessLevel": "guest"
}
}
}
}''';
@UnicornAccount this is simple and clear. Just wandering why Amplify docs have not included it?
I'm guessing this isn't supported yet because authorizing SES from sandbox isn't straightforward.
Our users are confused by the generic cognito endpoint being prompted when SSO is utilized, would be ideal to white label these, while it is is possible to do manually from the Cognito console, it is not really compatible with the CLI.
Hi @maziarzamani , u can explain how to do it in Cognito console? I don't find anything about how to configure it
I'm facing this issue. There is no way to update my custom domain in aws-export.js file.
