From 3a7b7a96afaed3caf27510ed4a2dc34d9c258edd Mon Sep 17 00:00:00 2001 From: Galib Sarayev Date: Mon, 29 Sep 2025 09:19:40 +0200 Subject: [PATCH 1/2] feat: add support for idp_identifier query parameter when going through OAuth using signInWithRedirect function --- .../cognito/signInWithRedirect.test.ts | 11 +++++++++++ .../cognito/apis/signInWithRedirect.ts | 19 ++++++++++++++++--- packages/auth/src/types/inputs.ts | 2 +- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts b/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts index 7371c31b91a..f1a7b596f7d 100644 --- a/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts +++ b/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts @@ -192,6 +192,17 @@ describe('signInWithRedirect', () => { ); }); + it('uses idpIdentifier when specified', async () => { + const expectedIdpIdentifier = 'example.com'; + await signInWithRedirect({ + provider: { idpIdentifier: expectedIdpIdentifier }, + }); + const [oauthUrl] = mockOpenAuthSession.mock.calls[0]; + expect(oauthUrl).toStrictEqual( + `https://oauth.domain.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&idp_identifier=${expectedIdpIdentifier}&scope=phone+email+openid+profile+aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`, + ); + }); + it('uses custom state if specified', async () => { const expectedCustomState = 'verify_me'; await signInWithRedirect({ customState: expectedCustomState }); diff --git a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts index e327769ab69..444c31c9ec7 100644 --- a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts +++ b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts @@ -51,17 +51,21 @@ export async function signInWithRedirect( } let provider = 'COGNITO'; // Default + let idpIdentifier: string | undefined; if (typeof input?.provider === 'string') { provider = cognitoHostedUIIdentityProviderMap[input.provider]; - } else if (input?.provider?.custom) { + } else if (input?.provider && 'custom' in input.provider) { provider = input.provider.custom; + } else if (input?.provider && 'idpIdentifier' in input.provider) { + ({ idpIdentifier } = input.provider); } return oauthSignIn({ oauthConfig: authConfig.loginWith.oauth, clientId: authConfig.userPoolClientId, provider, + idpIdentifier, customState: input?.customState, preferPrivateSession: input?.options?.preferPrivateSession, options: { @@ -77,6 +81,7 @@ export async function signInWithRedirect( const oauthSignIn = async ({ oauthConfig, provider, + idpIdentifier, clientId, customState, preferPrivateSession, @@ -85,6 +90,7 @@ const oauthSignIn = async ({ }: { oauthConfig: OAuthConfig; provider: string; + idpIdentifier?: string; clientId: string; customState?: string; preferPrivateSession?: boolean; @@ -117,10 +123,17 @@ const oauthSignIn = async ({ ['redirect_uri', redirectUri], ['response_type', responseType], ['client_id', clientId], - ['identity_provider', provider], - ['scope', scopes.join(' ')], ]); + // Add either identity_provider or idp_identifier, but not both + if (idpIdentifier) { + params.append('idp_identifier', idpIdentifier); + } else { + params.append('identity_provider', provider); + } + + params.append('scope', scopes.join(' ')); + loginHint && params.append('login_hint', loginHint); lang && params.append('lang', lang); nonce && params.append('nonce', nonce); diff --git a/packages/auth/src/types/inputs.ts b/packages/auth/src/types/inputs.ts index 3f23e784312..8c72699f182 100644 --- a/packages/auth/src/types/inputs.ts +++ b/packages/auth/src/types/inputs.ts @@ -69,7 +69,7 @@ export type AuthProvider = 'Amazon' | 'Apple' | 'Facebook' | 'Google'; export type AuthPrompt = 'NONE' | 'LOGIN' | 'CONSENT' | 'SELECT_ACCOUNT'; export interface AuthSignInWithRedirectInput { - provider?: AuthProvider | { custom: string }; + provider?: AuthProvider | { custom: string } | { idpIdentifier: string }; customState?: string; options?: { /** From 9a3b374bec82d43697135bbc56697c37215513bd Mon Sep 17 00:00:00 2001 From: Ahmed Hamouda Date: Wed, 8 Oct 2025 15:46:46 +0200 Subject: [PATCH 2/2] fix: modify the auth provider types to be mutually exclusive --- .../auth/src/providers/cognito/apis/signInWithRedirect.ts | 4 ++-- packages/auth/src/types/inputs.ts | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts index 444c31c9ec7..1a035b448cc 100644 --- a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts +++ b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts @@ -55,9 +55,9 @@ export async function signInWithRedirect( if (typeof input?.provider === 'string') { provider = cognitoHostedUIIdentityProviderMap[input.provider]; - } else if (input?.provider && 'custom' in input.provider) { + } else if (input?.provider?.custom) { provider = input.provider.custom; - } else if (input?.provider && 'idpIdentifier' in input.provider) { + } else if (input?.provider?.idpIdentifier) { ({ idpIdentifier } = input.provider); } diff --git a/packages/auth/src/types/inputs.ts b/packages/auth/src/types/inputs.ts index 8c72699f182..89243ddb743 100644 --- a/packages/auth/src/types/inputs.ts +++ b/packages/auth/src/types/inputs.ts @@ -69,7 +69,10 @@ export type AuthProvider = 'Amazon' | 'Apple' | 'Facebook' | 'Google'; export type AuthPrompt = 'NONE' | 'LOGIN' | 'CONSENT' | 'SELECT_ACCOUNT'; export interface AuthSignInWithRedirectInput { - provider?: AuthProvider | { custom: string } | { idpIdentifier: string }; + provider?: + | AuthProvider + | { custom: string; idpIdentifier?: never } + | { idpIdentifier: string; custom?: never }; customState?: string; options?: { /**