Cognito-protected S3 Website attaches original URL behind redirect URL

[thoefkens]

Hi all,

We deploy a Website in an S3-bucket and protect it with Cognito. (using CDK)
When a user clicks a deeplink to the site (e.g. https://mydomain/message?id=1111), a redirect to Cognito's login URL is in place:

    // Set the Cognito UserPool ID as environment variable for the lambda masterdata
    function.addEnvironment('COGNITO_USERPOOL_ID', stack.getUserPoolId());

    apiGateway.addGatewayResponse('api-redirect-unauthorized', {
      responseHeaders: {
        'Location': "'" + stack.getLoginUrl(stackProps.apiDomainName) + "'"
      },
      templates: {
        'application/json': '{ "message": $context.error.messageString }'
      },
      type: ResponseType.UNAUTHORIZED,
      statusCode: '302'
    });

getLoginUrl is defined as:

  public getLoginUrl(apiDomainName: string): string {
    return this.userPoolDomain.signInUrl(this.userPoolAppClient, {
      redirectUri: `https://${apiDomainName}/auth`
    });
  }

However, the user is directed to https://auth.mydomain/login?client_id=xxx&redirect_url=https://mydomain/auth/#https://mydomain/message?id=1111

In doing so, the original deeplink URL is lost upon authentication on the Cognito sign-up page as it gets attached automatically behind the #-sign.

How can we make sure the redirect to Cognito stores the original URL (e.g. as state parameter)?

For reference, this is how we integrate the S3-bucket with the API gateway and an authorizer.

export interface FrontendIntegrationProps {
    apiGateway: apigateway.RestApi;
    bucket: s3.Bucket;
    authorizer?:  apigateway.IAuthorizer,
}

export class FrontendIntegration extends cdk.Construct {
    constructor(scope: cdk.Construct, id: string, props: FrontendIntegrationProps) {
        super(scope, id);

        const api = props.apiGateway;

        // IAM Role to allow S3 access from API Gateway
        var s3Role = new iam.Role(this, "S3FrontendRole", {
            assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com'),
        });
        props.bucket.grantReadWrite(s3Role);

        // Proxy Integration for frontend
        const websiteFolder = api.root.addResource('{proxy+}', {
            defaultMethodOptions: {
                requestParameters: {
                    'method.request.path.proxy': true
                }
            },
        });

        // S3 Integration
        const webFolderIntegration = new apigateway.AwsIntegration({
            service: "s3",
            integrationHttpMethod: "GET",
            path: props.bucket.bucketName + "/{proxy}",
            options: {
                credentialsRole: s3Role,
                passthroughBehavior: apigateway.PassthroughBehavior.WHEN_NO_MATCH,
                requestParameters: {
                    'integration.request.path.proxy': 'method.request.path.proxy',
                },
                integrationResponses: [
                    {
                        statusCode: '200',
                        responseParameters: {
                            'method.response.header.Content-Type': 'integration.response.header.Content-Type'
                        }
                    }
                ]
            }
        });

        // S3 Integration Method
        websiteFolder.addMethod('GET', webFolderIntegration, {
            authorizer: props.authorizer,
            methodResponses: [
                {
                    statusCode: '200',
                    responseParameters: {
                        'method.response.header.Content-Type': true
                    }
                }
            ]
        });

        // Integration index.html (if no file is specified)
        const getS3IntegrationIndex = new apigateway.AwsIntegration({
            service: "s3",
            integrationHttpMethod: "GET",
            path: props.bucket.bucketName + "/index.html",
            options: {
                credentialsRole: s3Role,
                integrationResponses: [
                    {
                        statusCode: '200',
                        responseParameters: {
                            'method.response.header.Content-Type': 'integration.response.header.Content-Type'
                        }
                    }
                ]
            }
        });

        // S3 Integration Method
        api.root.addMethod("GET", getS3IntegrationIndex, {
            authorizer: props.authorizer,
            methodResponses: [
                {
                    statusCode: '200',
                    responseParameters: {
                        'method.response.header.Content-Type': true
                    }
                }
            ]
        });

    }
}

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.