Skip to content

Add support for idp_identifier query parameter when going through OAuth  #10226

Open
@jaredready

Description

@jaredready

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

Cognito User Pools federated identities supports using identifiers (typically a domain name) to correctly figure out what IdP a user should be authenticating with based on their email address. This is described in the Cognito documentation here.

You can also choose identifiers for your SAML providers. An identifier uniquely resolves to an identity provider (IdP) associated with your user pool. Typically, each identifier corresponds to an organization domain that the SAML IdP represents. For a multi-tenant app that multiple organizations share, you can use identifiers to redirect users to the correct IdP. Because the same organization can own multiple domains, you can provide multiple identifiers. To sign in your users with an identifier, direct their sessions to the Authorize endpoint for your app client with an idp_identifier parameter.

Following the link, you can see that the /oauth2/authorize endpoint supports an optional idp_identifier query parameter for providing this information.

I would like to be able to use the Auth.federatedSignIn function to be able to utilize this functionality.

Currently Amplify applications utilizing multiple identify providers need to jump through some awkward hoops to get their authentication code working correctly, but Cognito already supports the required functionality.

Describe the solution you'd like

Currently the Auth package provides a federatedSignIn function that has a required provider. I would like to see this function's input type enhanced to something like the following.

export declare type FederatedSignInOptions = {
    provider?: CognitoHostedUIIdentityProvider;
    idpIdentifier?: string;
    customState?: string;
};

Maybe something a little smarter to require either provider or idpIdentifier; my TypeScript isn't that good.

This would allow one to do something like,

Auth.federatedSignIn({ idpIdentifier: "example.com" });

and have the user be directed to their correct IdP to authenticate.

Describe alternatives you've considered

I've tried to see if it would be possible to abuse the current behavior to make this work, but you can see here that there's currently no way to provide additional query parameters to make this request work.

Additional context

The documentation here has a handy graphical overview of the workflow.

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

Metadata

Metadata

Assignees

No one assigned

    Labels

    AuthRelated to Auth components/categoryCognitoRelated to cognito issuesService TeamIssues asked to the Service Teamfeature-requestRequest a new feature

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions