Auth.signInWithWebUI with AuthProvider.custom redirect URI issue

[alegos27]

Description

When using Amplify's signInWithWebUI(provider: AuthProvider.custom(provider)) function with a custom provider, the WebUI does not return to the application after a successful third-party login. Instead, it navigates to the Cognito authentication base URL and shows an error message: "Something went wrong. Please try again." Closing the WebView manually leaves no authenticated session in Amplify. This issue is unique to custom providers since the same flow with social logins, such as signInWithWebUI(provider: AuthProvider.google), works correctly using identical configurations.

Categories

• Analytics
• API (REST)
• API (GraphQL)
• Auth
• Authenticator
• DataStore
• Notifications (Push)
• Storage

Steps to Reproduce

1.) Amplify Configuration and Init

Use this configuration:

final String amplifyConfig = '''
{
  "UserAgent": "aws-amplify-cli/2.0",
  "Version": "1.0",
  "auth": {
      "plugins": {
          "awsCognitoAuthPlugin": {
              "IdentityManager": {
                  "Default": {}
              },
              "CognitoUserPool": {
                  "Default": {
                      "PoolId": "${Env().cognitoPoolId}",
                      "AppClientId": "${Env().cognitoAppClientId}",
                      "Region": "${Env().awsRegion}"
                  }
              },
              "Auth": {
                  "Default": {
                      "authenticationFlowType": "CUSTOM_AUTH",
                      "OAuth": {
                          "WebDomain": "${Env().cognitoAuthDomain}",
                          "AppClientId": "${Env().cognitoAppClientId}",
                          "SignInRedirectURI": "myapp://",
                          "SignOutRedirectURI": "myapp://",
                          "Scopes": [ 
                              "phone",
                              "email",
                              "openid",
                              "profile",
                              "aws.cognito.signin.user.admin"
                          ]
                      }
                  }
              }
          }
      }
  }
}
''';

Init Amplify in main.dart:

await Amplify.addPlugin(AmplifyAuthCognito());
await Amplify.configure(amplifyConfig);

2.) Call signInWithWebUI function:
Use the following function to initiate a sign-in with a third-party provider via Amplify's WebUI:

final result = await Amplify.Auth.signInWithWebUI(
   provider: AuthProvider.custom(provider),
   options: const SignInWithWebUIOptions(
     pluginOptions: CognitoSignInWithWebUIPluginOptions(
       isPreferPrivateSession: true,
     ),
   ),
);

3.) Complete the Third-Party Authentication:

• In the WebUI that appears, log in using the selected third-party provider credentials.

4.) Observe the Redirection:

• Instead of redirecting to the application, the WebView directs to the Cognito authentication base URL.
• In the WebView, there is an error message: "Something went wrong. Please try again."

5.) Close the WebView:

• If you close the WebUI manually, you'll notice that no authenticated session is established in Amplify.
• On Android Console: D/AmplifyAuthCognitoPlugin( 5776): [cancelCurrentOperation] Canceling with state: signInResult=com.amazonaws.amplify.amplify_auth_cognito.AtomicResult@4dde50c, signOutResult=null

Screenshots

Platforms

• iOS
• Android
• Web
• macOS
• Windows
• Linux

Flutter Version

3.19.6

Amplify Flutter Version

2.0.0

Deployment Method

Custom Pipeline

Schema

No response

[khatruong2009]

Hi @alegos27, we will look into this issue and get back to you with any updates.

[khatruong2009]

Hi @alegos27, in the first two screenshots, are you using the AuthProvider.google and showing that it is working? Or are all 3 screenshots part of a single unsuccessful sign in flow? Are you using AuthProvider.custom for your Google sign ins? Can you give us some more details on your custom auth provider?

[alegos27]

Hi @khatruong2009, the first two screenshots show AuthProvider.custom, but used with Google as the SSO authenticator. We encounter the same issue with other providers like Azure. So, all three screenshots depict a single unsuccessful sign-in flow.
When we use Google SignIn with AuthProvider.google, it works seamlessly, as it does with Apple and Facebook; the sign-in flow, including redirects, works correctly.
We're using the Cognito identity provider as a custom SSO auth provider, leveraging SAML or OIDC (90% SAML) for corporate authentication systems that have their own provider. We also try using AuthProvider.saml() but with the same result.
If you need more details, feel free to ask.

[NikaHsn]

@alegos27 thank you for providing these details. we will look into this issue and get back to you with any updates.

[NikaHsn]

@alegos27 in the amplify configuration I noticed that you are using "authenticationFlowType": "CUSTOM_AUTH", would you please confirm that you are using sign-in with custom auth flow with AWS Lambda triggers?

[alegos27]

@NikaHsn Yes, I can confirm that we are using a custom authentication flow with AWS Lambda triggers in the auth flow with email (Amplify.Auth.signIn). However, for the Amplify.Auth.signInWithWebUI function, we are not using the custom authentication flow. Instead, we use identity providers configured in Cognito as you can see in the screenshots above.

[NikaHsn]

@alegos27 thank you for providing these details. we will look into this and get back to you with any updates.

[dagovalsusa]

same issue here, any updates?
Thanks

[Equartey]

Hi @dagovalsusa, no updates yet. We still need to reproduce this. We will update when we have more information.