amplify-cli
amplify-cli copied to clipboard
aws-amplify
Allow creation of new app clients for Cognito Auth
Is this feature request related to a new or existing Amplify category?
auth
Is this related to another service?
No response
Describe the feature you'd like to request
When creating a new Amplify application with Cognito auth and pushing it will create two app clients. If one of the app clients is removed (such as via the Cognito AWS console) and we perform an update in our Amplify application with changes such as editing redirect URLs, performing an amplify push on the stack fails and enters a broken state where the change won't go through due to the old app client referenced by unique ID no longer existing.
Created in reference to https://github.com/aws-amplify/amplify-cli/issues/4233#issuecomment-629120515
Describe the solution you'd like
Allow options to swap the App clients in Amplify CLI or allow generation of new App clients that swap the existing App client references.
Describe alternatives you've considered
Utilizing Amplify override to swap new App clients generated on console.
Additional context
Cognito doesn't support generating app clients with specific IDs, so the auth resource is broken due to being unable to recreate or reassign that specific app client. This results in needing to delete the entire environment to work around the issue
Is this something that you'd be interested in working on?
- [ ] 👋 I may be able to implement this feature request
Would this feature include a breaking change?
- [ ] ⚠️ This feature might incur a breaking change
@ykethan was this issue ever fixed? I have run into it and all of the related tickets point to a workaround and this ticket. I am experiencing this issue in a live production app.
@ykethan to follow up, I created a second app with similar setup and tried to follow this instruction:
If this is the case, you can enable Deletion Protection for Cognito and remove it from your project, then use amplify import auth to import the same User Pool with the newly created client(https://github.com/aws-amplify/amplify-cli/issues/12611#issuecomment-1548244403).
But I run into an error where all of the connected services will be deleted if I run amplify remove auth, such as appsync and I believe RDS and others?
@willb0246 could you provide us the error message? Removing the auth resource should not delete the GraphQL API or other depending resources
Yeah absolutely! here is my whole CLI output:
William@MacBook-Pro AthenaLabs-app % amplify remove auth
⚠️
You have configured resources that might depend on this Cognito resource. Updating this Cognito resource could have unintended side effects.
? Choose the resource you would want to remove athenalabsapp725213f9725213f9
? Are you sure you want to delete the resource? This action deletes all files related to this resource from the backend directory. Yes
🛑 Resource cannot be removed because it has a dependency on another resource
🛑 Dependency: AppSync - athenalabuploads
🛑 An error occurred when removing the resources from the local directory
Looking at it again, it doesn't actually seem to be a 'delete' of AppSync
Hey @willb0246, thank you for the information. Is this auth resource imported? if no and the user pool was created by Amplify CLI, you will need to remove the auth resource and import the user pool as the app client deleted on the console cannot be recreated using the CLI. There are two main attributes to this,
- Removing the user pool without deleting the user pool resource. This would require pushing an auth override with following enabling the retain policy
import {
AmplifyAuthCognitoStackTemplate,
AmplifyProjectInfo,
} from "@aws-amplify/cli-extensibility-helper";
export function override(
resources: AmplifyAuthCognitoStackTemplate,
amplifyProjectInfo: AmplifyProjectInfo
) {
// @ts-ignore
resources.userPool.applyRemovalPolicy("retain");
}
Could you remove the existing changes by running an amplify pull and try pushing with override to enable the removal policy?
- Removing the resource dependancy.
From the error it appears the GraphQL API currently depends on the auth resource. Which would require an update on the API by removing the authorization mode on
amplify update apiand removing any auth rules utilizing the auth resource.
Once both the resources have been updated you should be able to the run amplify remove auth and push. once the auth resource has been unlinked you can import the auth using amplify import auth and re-add the auth rules on the API.
Thank you for this information! This problem is stemming from deleting one of the two auto-generated amplify auth appclients. Should I have re-added a mobile cognito client before I re-import this cognito auth? Or can I leave my cognito userpool with the single web appclient?
@willb0246 the import flow allows utilizing a single client, but i would suggest creating a new client before importing the auth resource.
Awesome, so to summarize - in my console I should ensure there are two clients, similar to the way amplity automically generates normally (one without client secret and one with client secret). I should then ensure that delete protection is on my prod userpool. then in my local env I should run amplify remove auth, disconnect any dependent capabilities. Then I should run amplify import auth with that same user pool.
Did I miss anything in that summary?
yes, recreate the deleted client, set the retain policy to ensuring the user pool is not deleted, remove any resource dependancies, remove the auth resource, re-import the resource .
Can I add additional app clients to the user pool created by amplify without breaking the amplify cli?
