feat: add support for idp_identifier query parameter when going through OAuth using signInWithRedirect function (#14573)

Author: sarayev

packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts

@@ -192,6 +192,17 @@ describe('signInWithRedirect', () => {
 		);
 	});
 
+	it('uses idpIdentifier when specified', async () => {
+		const expectedIdpIdentifier = 'example.com';
+		await signInWithRedirect({
+			provider: { idpIdentifier: expectedIdpIdentifier },
+		});
+		const [oauthUrl] = mockOpenAuthSession.mock.calls[0];
+		expect(oauthUrl).toStrictEqual(
+			`https://oauth.domain.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&idp_identifier=${expectedIdpIdentifier}&scope=phone+email+openid+profile+aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
+		);
+	});
+
 	it('uses custom state if specified', async () => {
 		const expectedCustomState = 'verify_me';
 		await signInWithRedirect({ customState: expectedCustomState });

packages/auth/src/providers/cognito/apis/signInWithRedirect.ts

@@ -51,17 +51,21 @@ export async function signInWithRedirect(
 	}
 
 	let provider = 'COGNITO'; // Default
+	let idpIdentifier: string | undefined;
 
 	if (typeof input?.provider === 'string') {
 		provider = cognitoHostedUIIdentityProviderMap[input.provider];
 	} else if (input?.provider?.custom) {
 		provider = input.provider.custom;
+	} else if (input?.provider?.idpIdentifier) {
+		({ idpIdentifier } = input.provider);
 	}
 
 	return oauthSignIn({
 		oauthConfig: authConfig.loginWith.oauth,
 		clientId: authConfig.userPoolClientId,
 		provider,
+		idpIdentifier,
 		customState: input?.customState,
 		preferPrivateSession: input?.options?.preferPrivateSession,
 		options: {
@@ -77,6 +81,7 @@ export async function signInWithRedirect(
 const oauthSignIn = async ({
 	oauthConfig,
 	provider,
+	idpIdentifier,
 	clientId,
 	customState,
 	preferPrivateSession,
@@ -85,6 +90,7 @@ const oauthSignIn = async ({
 }: {
 	oauthConfig: OAuthConfig;
 	provider: string;
+	idpIdentifier?: string;
 	clientId: string;
 	customState?: string;
 	preferPrivateSession?: boolean;
@@ -117,10 +123,17 @@ const oauthSignIn = async ({
 		['redirect_uri', redirectUri],
 		['response_type', responseType],
 		['client_id', clientId],
-		['identity_provider', provider],
-		['scope', scopes.join(' ')],
 	]);
 
+	// Add either identity_provider or idp_identifier, but not both
+	if (idpIdentifier) {
+		params.append('idp_identifier', idpIdentifier);
+	} else {
+		params.append('identity_provider', provider);
+	}
+
+	params.append('scope', scopes.join(' '));
+
 	loginHint && params.append('login_hint', loginHint);
 	lang && params.append('lang', lang);
 	nonce && params.append('nonce', nonce);

packages/auth/src/types/inputs.ts

@@ -69,7 +69,10 @@ export type AuthProvider = 'Amazon' | 'Apple' | 'Facebook' | 'Google';
 export type AuthPrompt = 'NONE' | 'LOGIN' | 'CONSENT' | 'SELECT_ACCOUNT';
 
 export interface AuthSignInWithRedirectInput {
-	provider?: AuthProvider | { custom: string };
+	provider?:
+		| AuthProvider
+		| { custom: string; idpIdentifier?: never }
+		| { idpIdentifier: string; custom?: never };
 	customState?: string;
 	options?: {
 		/**