diff --git a/src/pages/[platform]/start/migrate-to-gen2/migrate-existing-app/index.mdx b/src/pages/[platform]/start/migrate-to-gen2/migrate-existing-app/index.mdx index c6416a439f9..f042f259db5 100644 --- a/src/pages/[platform]/start/migrate-to-gen2/migrate-existing-app/index.mdx +++ b/src/pages/[platform]/start/migrate-to-gen2/migrate-existing-app/index.mdx @@ -500,6 +500,23 @@ See [Secrets](https://docs.amplify.aws/react/build-a-backend/functions/environme +#### External Identity Providers + +If your Gen 1 app uses social sign-in (Facebook, Google), the generated `callbackUrls` and `logoutUrls` in `./amplify/auth/resource.ts` are inherited from Gen 1 and reference the Gen 1 Amplify Hosting URLs only. The Gen 2 hosting URL must be added before the Hosted UI will accept sign-ins from the Gen 2 frontend. + +The generator emits a comment above each URL list as a reminder. Add the Gen 2 URL to both locations: + +```diff + callbackUrls: [ + 'https://main..amplifyapp.com/', ++ 'https://gen2-main..amplifyapp.com/', + ], +``` + +The top-level `externalProviders.callbackUrls`/`logoutUrls` configure the web client used by the frontend. The `oAuth.callbackUrls`/`logoutUrls` inside `applyEscapeHatches` configure a separate native app client — update both if present. + +The corresponding redirect URIs in the external provider's developer console must also be updated, after the Gen 2 environment is deployed (see [Configure external identity providers](#configure-external-identity-providers) below). + ### Step 5: Deploy Push the generated Gen 2 code to your repository: @@ -546,6 +563,14 @@ By default, sandbox creates its own DynamoDB tables and does not share Gen 1 mod +#### Configure external identity providers + +If your app uses social sign-in, the Gen 2 deployment creates a new Cognito User Pool Domain distinct from the Gen 1 one. The external provider's developer console must be updated to accept redirects from the new domain before Hosted UI sign-in will work on the Gen 2 frontend. + +Open the [Cognito console](https://console.aws.amazon.com/cognito/), select the user pool owned by your Gen 2 branch, and note the domain under _App integration → Domain_. + +Then, add the domain to each external provider's console following the standard [External identity providers](/[platform]/build-a-backend/auth/concepts/external-identity-providers/) guide. You do not need to replace the existing Gen 1 entries — add the Gen 2 domain alongside them so both environments work during the transition. + ### Step 6: Functional Tests (CRITICAL) @@ -621,6 +646,8 @@ If the refactor fails or produces undesired results, roll it back: amplify gen2-migration refactor --to --rollback ``` +If you had already completed [Step 8: Post-Refactor](#step-8-post-refactor-critical) before rolling back, re-comment `postRefactor();` in `./amplify/backend.ts` on the `gen2-main` branch and push. The function targets resources that the Gen 2 stack no longer owns after rollback and will fail at synth otherwise. + After rolling back, you will need to unlock the Gen 1 environment and redeploy it to restore normal operation: ```bash @@ -651,7 +678,7 @@ Edit `./amplify/backend.ts`: -This function must remain uncommented permanently — even after migration is complete. Commenting it out or removing it will cause deployment failures. +This function must remain uncommented after the refactor is complete. Commenting it out or removing it will cause deployment failures. The only exception is if you subsequently run `refactor --rollback` — see [Step 7](#step-7-refactor).