aws-amplify · 9pace · May 6, 2026 · May 6, 2026 · May 6, 2026
@@ -500,6 +500,23 @@ See [Secrets](https://docs.amplify.aws/react/build-a-backend/functions/environme
 
 </Callout>
 
+#### External Identity Providers
+
+If your Gen 1 app uses social sign-in (Facebook, Google), the generated `callbackUrls` and `logoutUrls` in `./amplify/auth/resource.ts` are inherited from Gen 1 and reference the Gen 1 Amplify Hosting URLs only. The Gen 2 hosting URL must be added before the Hosted UI will accept sign-ins from the Gen 2 frontend.
+
+The generator emits a comment above each URL list as a reminder. Add the Gen 2 URL to both locations:
+
+```diff
+ callbackUrls: [
+   'https://main.<gen1-appId>.amplifyapp.com/',
++  'https://gen2-main.<gen2-appId>.amplifyapp.com/',
+ ],
+```
+
+The top-level `externalProviders.callbackUrls`/`logoutUrls` configure the web client used by the frontend. The `oAuth.callbackUrls`/`logoutUrls` inside `applyEscapeHatches` configure a separate native app client — update both if present.
+
+The corresponding redirect URIs in the external provider's developer console must also be updated, after the Gen 2 environment is deployed (see [Configure external identity providers](#configure-external-identity-providers) below).
+
 ### Step 5: Deploy
 
 Push the generated Gen 2 code to your repository:
@@ -546,6 +563,14 @@ By default, sandbox creates its own DynamoDB tables and does not share Gen 1 mod
 
 </Accordion>
 
+#### Configure external identity providers
+
+If your app uses social sign-in, the Gen 2 deployment creates a new Cognito User Pool Domain distinct from the Gen 1 one. The external provider's developer console must be updated to accept redirects from the new domain before Hosted UI sign-in will work on the Gen 2 frontend.
+
+Open the [Cognito console](https://console.aws.amazon.com/cognito/), select the user pool owned by your Gen 2 branch, and note the domain under _App integration → Domain_.
+
+Then, add the domain to each external provider's console following the standard [External identity providers](/[platform]/build-a-backend/auth/concepts/external-identity-providers/) guide. You do not need to replace the existing Gen 1 entries — add the Gen 2 domain alongside them so both environments work during the transition.
+
 
 ### Step 6: Functional Tests (CRITICAL)
 
@@ -621,6 +646,8 @@ If the refactor fails or produces undesired results, roll it back:
 amplify gen2-migration refactor --to <gen2-root-stack-name> --rollback
 ```
 
+If you had already completed [Step 8: Post-Refactor](#step-8-post-refactor-critical) before rolling back, re-comment `postRefactor();` in `./amplify/backend.ts` on the `gen2-main` branch and push. The function targets resources that the Gen 2 stack no longer owns after rollback and will fail at synth otherwise.
+
 After rolling back, you will need to unlock the Gen 1 environment and redeploy it to restore normal operation:
 
 ```bash
@@ -651,7 +678,7 @@ Edit `./amplify/backend.ts`:
 
 <Callout info>
 
-This function must remain uncommented permanently — even after migration is complete. Commenting it out or removing it will cause deployment failures.
+This function must remain uncommented after the refactor is complete. Commenting it out or removing it will cause deployment failures. The only exception is if you subsequently run `refactor --rollback` — see [Step 7](#step-7-refactor).
 
 </Callout>