Amplify flutter sign in with federated provider (Google/Apple) not following deep link redirect on real IOS device

[pcittadini]

Description

After setting up a Cognito SSO federation with Apple and Google. Using the followign approach:

return await Amplify.Auth.signInWithWebUI(
        provider: provider,
        options: SignInWithWebUIOptions(
          pluginOptions:
              CognitoSignInWithWebUIPluginOptions(isPreferPrivateSession: true),
        ),
      );

• Deep link is using custom scheme like the following : mycustomscheme://appname.link
• This is validated and working as it can be open from other apps and browsers.
• The whole flow works on emulator and on Android (and from Cognito web login page).
• All transport exceptions have been enabled on info.plist
• Url types are configured
• Event the domains for google and apple were whitelisted in the App Transport Security Settings sections.
• Associated Domains and Sign in With Apple capabilities enabled.

The webview opens showing the overlay with the apple login prompt, or the google login page. After succesfully logging in webview a blank page is showed and the deep link returned is not followed for completing token exchange.

In addition, seems that settings the value of isPreferPrivateSession to false, will break the flow and make the webview not able to start (a little permission popup will show for few milliseconds and then disappears with no possibility to interact) and nothing will happen.

Categories

• Analytics
• API (REST)
• API (GraphQL)
• Auth
• Authenticator
• DataStore
• Notifications (Push)
• Storage

Steps to Reproduce

Create a new federation from Cognito to Google or Apple
Configure universal links and deep links
Add auth model for SSO provider
Try logging in with Google or Apple from a phyisical iOS device

Screenshots

No response

Platforms

• iOS
• Android
• Web
• macOS
• Windows
• Linux

Flutter Version

3.29.2

Amplify Flutter Version

2.6.1

Deployment Method

Custom Pipeline

Schema

[ProgUser145]

Same issue here :(

[aktumut]

same here!

[KeidiKD]

I have been having the same issue as well. The app stays in a blank screen after signing in successfully. It seems that the issue is related to how the web ui handles the redirect back to the app via the deeplink

[tyllark]

Hello @pcittadini, thanks for taking the time to open up this issue. We will investigate and get back to you when we have an update.

[tyllark]

Hello @pcittadini @ProgUser145 @aktumut @KeidiKD, I've been unable to reproduce the issue on my physical iOS device. Could you please verify that you can recreate the issue with the following code and let me know if you are using a different package for routing/deep links.

import 'package:amplify_auth_cognito/amplify_auth_cognito.dart';
import 'package:amplify_flutter/amplify_flutter.dart';
import 'package:flutter/material.dart';
import 'package:go_router/go_router.dart';

import 'amplify_outputs.dart';

void main() async {
  WidgetsFlutterBinding.ensureInitialized();

  await _configureAmplify();

  runApp(
    MaterialApp.router(
      title: 'Auth Test',
      theme: ThemeData.dark(),
      routerConfig: _router,
    ),
  );
}

Future<void> _configureAmplify() async {
  try {
    await Amplify.addPlugins([AmplifyAuthCognito()]);
    await Amplify.configure(amplifyConfig);
    safePrint('Success configuring Amplify!');
  } on Exception catch (e) {
    safePrint('Error configuring Amplify: $e');
  }
}

final _router = GoRouter(
  routes: [
    GoRoute(
      path: '/',
      builder:
          (_, __) => Scaffold(
            appBar: AppBar(title: const Text('Home Screen')),
            body: Column(
              children: [
                ElevatedButton(
                  onPressed: _signInWithApple,
                  child: Text('Sign In With Apple'),
                ),
                ElevatedButton(onPressed: _signout, child: Text('Sign Out')),
              ],
            ),
          ),
      routes: [
        GoRoute(
          path: 'deep_link',
          builder:
              (_, __) => Scaffold(
                appBar: AppBar(title: const Text('Deep Link Screen')),
              ),
        ),
      ],
    ),
  ],
);

Future<void> _signInWithApple() async {
  try {
    await Amplify.Auth.signInWithWebUI(
      provider: AuthProvider.apple,
      options: const SignInWithWebUIOptions(
        pluginOptions: CognitoSignInWithWebUIPluginOptions(
          isPreferPrivateSession: true,
        ),
      ),
    );
  } catch (e) {
    safePrint('Sign in failed: $e');
  }
}

Future<void> _signout() async {
  try {
    await Amplify.Auth.signOut();
  } catch (e) {
    safePrint('Sign out failed: $e');
  }
}

WebUIOptions_DeepLink.mov

[pcittadini]

Hi @tyllark, thanks for getting back. We implemented your test-case and we have exactly the same result as on our production environment. It works fine on the ios emulator, but the webview renders a white page after account selection on a physical device as it's shown in the video.

screen_recording_flutter.MP4

We are using the following amplify configuration:

"auth": { "plugins": { "awsCognitoAuthPlugin": { "UserAgent": "aws-amplify/cli", "Version": "1.0", "IdentityManager": { "Default": {} }, "CognitoUserPool": { "Default": { "PoolId": "myPoolId", "AppClientId": "myAppClientId", "Region": "myRegion" } }, "Auth": { "Default": { "authenticationFlowType": "USER_PASSWORD_AUTH", "OAuth": { "WebDomain": "myDomain", "AppClientId": "myAppClientId", "SignInRedirectURI": "myapp://myapp.link", "SignOutRedirectURI": "myapp://myapp.link", "Scopes": [ "phone", "email", "openid", "profile", "aws.cognito.signin.user.admin" ] } } } } } }

The deep link is working fine as we can click on it from different browsers/apps and the app will open fine. We are currently implementing the cognito external provider flow manually using the default browser instead and it's working fine. This is of course painful for us because it mean dropping the whole amplify library as we can't inject a session externally, from our understanding at least.

[tyllark]

Hello @pcittadini, thank you for clarifying your exact experience. The main difference between our configuration files is the Redirect URIs, is yours exactly myapp://myapp.link? Or can you provide a more precise example with redacted information. I'm using myapp://callback/ and myapp://signout/ on my side.

Since I'm still unable to reproduce the error could you please use your Safari Web inspector to see if any Console or Network errors are being thrown. You will need to enable web developer features on your mac and enable inspection on your iOS device then you can open the web inspector once you are in the Apple Sign In WebView via `Safari -> Develop -> [YOUR IOS DEVICE].

Unfortunately you cannot inject sessions into the amplify library at this time, though we have been discussing the possibility of allowing this. Technically you can use our aws_signature_v4 package and provide your own credential scope, but that is not ideal if you are using more than a couple of AWS endpoints.