Skip to content

fix(auth): handle custom Cognito domains without appending regional suffix #3005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(auth): handle custom Cognito domains without appending regional suffix #3005

wants to merge 2 commits into from

Conversation

sotolucas
Copy link

Problem

When using imported Cognito resources in Amplify Gen2 with SSO enabled, login redirects were broken because the initializer Lambda unconditionally appended .auth.{region}.amazoncognito.com to the OAuth domain.
This caused malformed redirect URLs when a custom domain was already set in the Cognito User Pool (e.g., auth.dev.example.comauth.dev.example.com.auth.us-east-1.amazoncognito.com).

Issue number, if available: #2991

Changes

  • Updated getUserPoolOutputs logic so that:
    • If a custom domain is provided, it is used as-is.
    • Otherwise, fallback to Cognito-managed domain ({domain}.auth.{region}.amazoncognito.com).
  • Ensures fullDomainPath is properly constructed in both scenarios.
    This fixes the malformed OAuth redirect URLs when signing in via SSO providers (e.g., Google).

Validation

  • Manually tested with imported Cognito resources and a custom domain (auth.dev.example.com) → redirect now works correctly.
  • Verified fallback behavior with Cognito-managed domains continues to work.
  • Confirmed still detects Google as an IdP and completes the sign-in flow.

Checklist

  • If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.
  • If this PR requires a change to the Project Architecture README, I have included that update in this PR.
  • If this PR requires a docs update, I have linked to that docs PR above.
  • If this PR modifies E2E tests, makes changes to resource provisioning, or makes SDK calls, I have run the PR checks with the run-e2e label set.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sotolucas
fix(auth): handle custom Cognito domains without appending regional s…
233ebcf 
…uffix

Ensure fullDomainPath uses the custom domain as-is when provided,
falling back to the Cognito-managed domain construction only if
no custom domain exists. This resolves malformed OAuth redirect
URLs when using imported Cognito resources with SSO.
@sotolucas sotolucas requested a review from a team as a code owner September 28, 2025 00:56
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 28, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: d96c34a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sotolucas