aws-amplify
Wrong setting when using custom domain
How did you install the Amplify CLI?
npm
If applicable, what version of Node.js are you using?
v18.2.0
Amplify CLI Version
10.5.2
What operating system are you using?
Mac
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No manual changes made
Describe the bug
If you provide a custom auth.mydomain.com for OAuth in cognito, every time you run amplify push it overwrites aws-exports.js and changes:
oauth: { domain: auth.mydomain.com --> gets changed to . "appname-env.auth.region.amazoncognito.com" }
https://github.com/aws-amplify/amplify-cli/blob/06300cc1444bf6e018cc50e18f9cce1967e00426/packages/amplify-frontend-javascript/lib/frontend-config-creator.js#L359-L362
Expected behavior
If a custom domain name is used, '.auth.region.amazoncognito.com' should not be added to the end.
Reproduction steps
- An existing cognito for amplify auth is integrated
- Added custom domain for Cognito
- Changes are pulled locally or pipeline is triggered
- 'auth.domain' appears incorrectly in aws-exports.json
Project Identifier
77facb24fcba8c9dee551c27006d6b76
Log output
No response
Additional information
No response
Before submitting, please confirm:
- [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
- [X] I have removed any sensitive information from my code snippets and submission.
Hey @sametkabay thank you for taking the time to file this! To clarify, how is the custom domain added to Cognito? Is this through the amplify update auth flow or via overrides?
Hi @josefaidt, aws cognito user pool settings in browser. Own domain added and amazon cognito domain removed in domain name tab. Then when I pull with the cli, I can see the error. same issue appears when issuing release with amplify pipeline
Hey @sametkabay thanks for clarifying! Unfortunately the CLI will not be able to sync changes made in the AWS Console with your Amplify project on amplify pull, and upon amplify push Amplify can overwrite those manual changes. Instead can you try setting the custom domain via overrides with amplify override auth?
Hi @josefaidt, I agree with you, override can be used as a solution to this problem. It can even be solved within the application with a simple condition. After doing some research, I came across an example of this: https://github.com/aws-amplify/amplify-cli/issues/1880#issuecomment-626331305
But i think this is wrong fix That's exactly what Cli does: If can use cognito standart domain: selected-subdoman => [selected-subdoman].{region}.amazoncognito.com => this is true If can use custom domian: [custom-domain] => [custom-domain].{region}.amazoncognito.com => ex: auth.example.com.auth.us-west-2.amazoncognito.com => this is wrong
when i debug i saw this: standart domain: cognitoResource.output.HostedUIDomain = selected subdomain. ex: auth custom domain: cognitoResource.output.HostedUIDomain = full url. ex: auth.example.com the code I marked above works the same for both.
We use a custom domain because we want to show our own domain name when using identity providers (google/facebook)
I solved this problem temporarily by overriding the aws-exports.json file in the application but I know that this is not true, the changes I make through the browser will be reflected, and I need to make changes in the application.
I've seen different issues about this as well. Hope it can be fixed soon
Hey @sametkabay thanks for clarifying! Are you saying when you override the hosted UI domain with amplify override auth and push, you are seeing the correct domain in the AWS Console but not in your aws-exports.js file?
Hey @sametkabay glad to hear it works for you, but to clarify are you able to override the domain in the override.ts file for auth and that domain is not being reflected in the aws-exports file?
@josefaidt I didn't use override.ts, I solved it in my own code, so I can't give a clear answer. If this is important information, i can try it for you
Hey @sametkabay apologies for the delay.
If you provide a custom auth.mydomain.com for OAuth in cognito,
How was the custom domain originally added to the Cognito resource? Was this added manually in the AWS Console or via a parameter in your project locally?
Hey @sametkabay thanks for clarifying! Typically it is not recommended to modify settings of resources in the AWS Console as they can be overwritten on subsequent updates/amplify push attempts. Amplify CLI will create infrastructure-as-code with AWS CloudFormation, and amplify pull is not able to sync the changes made in the console with the local definitions. Instead, it is recommended to use overrides where you can modify settings of resources that will be carried across environments and subsequent updates.
Unfortunately, using overrides will not update your aws-exports to reflect the custom domain, however this can be configured manually in your frontend
@josefaidt I solved the problem with a method similar to your suggestion. I've been using it for a while. I am not looking for a solution in this thread. I wanted to let you know that there is such a problem in order to produce a permanent solution.
Hey @sametkabay glad to hear it. I'll mark this as a feature-request to improve the domain generation in aws-exports to read from Cognito rather than constructing it manually
When using Google OAuth they require you to verify domain ownership in order to use it in production (non-test mode). It's impossible for us to verify amazoncognito.com, so using a custom user pool domain is required. Every user of Google OAuth will run into this problem. Please fix it or provide good documentation around it, including examples of a recommended workaround.
I encountered the same problem.
I have created a Cognito User Pool and added a custom domain auth.m.jaznu.com
Auth is imported into Amplify.
My application is on the m.jaznu.com domain. But src\aws-exports.js looks like this: ... "oauth": { "domain": "auth.m.jaznu.com.auth.eu-central-1.amazoncognito.com", ... Of course it doesn't work. Because the correct value should be "domain": "auth.m.jaznu.com", The value was generated as if I had not a custom domain, but a Cognito domain.
In amplify\backend\amplify-meta.json there is correct data: ... "auth": { "jaznuXXXXX9f": { "service": "Cognito", "serviceType": "imported", ... "HostedUIDomain": "auth.m.jaznu.com",
When I click Sign Up with Google:
I see this incorrect page auth.m.jaznu.com.auth.eu-central-1.amazoncognito.com:
Insted of correct auth.m.jaznu.com
Maybe the idea is that by adding a custom domain to Cognito - under its hood, the domain ${cognitoResource.output.HostedUIDomain}.auth.${projectRegion}.amazoncognito.com is created
And in Route 53 I link my custom domain auth.m.jaznu.com to auth.m.jaznu.com.auth.eu-central-1.amazoncognito.com
But in my case, auth.m.jaznu.com.auth.eu-central-1.amazoncognito.com does not open. Although auth.m.jaznu.com works correctly
But the registration form via Google uses auth.m.jaznu.com.auth.eu-central-1.amazoncognito.com, which does not work
I added this hack:
import awsconfig from './aws-exports'
// removing the part of the domain that is causing it not to work
if (awsconfig.oauth.domain.includes('m.jaznu.com')) {
awsconfig.oauth.domain = awsconfig.oauth.domain.replace('.auth.eu-central-1.amazoncognito.com', '')
}
Amplify.configure(awsconfig)
Only after that did it start working. But I'm interested in how it is supposed to work without such a hack?
I'm running into the same problem importing a cognito user pool with a custom domain. amplify-cli should simply copy the custom domain to aws-exports.js, but instead it appends extra .auth.{region}.amazoncognito.com bits. Looks like a bug in amplify import, which should either import custom domains as-is or kick up an error message that it cannot handle a user pool with a custom domain.
