Auth sign-in redirect Url get carried through different environments

[yunchanpaik]

How did you install the Amplify CLI?

yarn

If applicable, what version of Node.js are you using?

18.11.0

Amplify CLI Version

10.6.2

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

I currently have two working environments (dev and staging) for my project and I am using Google Oauth provider for both of them.

The problem is that the sign-in redirect URL for one environment will get carried over when switching between the environments.

Expected behavior

I need the following sign-in redirect URLs for each environment:

dev: https://dev.mydomain.com/, http://localhost:3000/
staging: https://staging.mydomain.com/

Reproduction steps

1. When adding a new environment, sign-in redirect URLs are copied to the new environment: amplify add env
2. Switch to the new environment: amplify checkout env staging
3. Update auth with new sign-in redirect URL: amplify update auth - Add/Edit signin and signout redirect URIs
4. Push new configuration to the cloud: amplify push

• At this point, the sign-in redirect URLs for both dev and staging are correctly configured on cloud

5. Switch to the original dev environment: amplify checkout env dev
6. Amplify detects the change to the auth made to the staging environment: amplify status
7. The sign-in redirect URL for staging is pushed to the cloud for dev environment: amplify push

• Now the sign-in redirect URL for both dev and staging are incorrectly configured to be https://staging.mydomain.com/

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[josefaidt]

Hey @yunchanpaik 👋 thanks for raising this and apologies for the delay! While we do not currently support env-specific redirect URI's I think this is a very reasonable request!

I was able to workaround this issue by lifting the oAuthMetadata property out of the auth resource's cli-inputs.json into the team-provider-info.json

{
  "dev": {
    "awscloudformation": {
    },
    "categories": {
      "auth": {
        "authenvredirects12ab993d": {
          "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[\"http://localhost:3333/\"],\"LogoutURLs\":[\"http://localhost:3333/\"]}"
        }
      }
    }
  },
  "next": {
    "awscloudformation": {
    },
    "categories": {
      "auth": {
        "authenvredirects12ab993d": {
          "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[\"http://localhost:4444/\"],\"LogoutURLs\":[\"http://localhost:4444/\"]}"
        }
      }
    }
  }
}

Marking as a feature request to support env-specific redirect URIs

[yunchanpaik]

The workaround did it! Thank you so much for the help, Jose.

Looking forward to a proper implementation for this feature. Currently, the Amplify Studio shows blank redirect_url even though it works, probably because it's not reading the overrides from team-provider-info.json

[josefaidt]

Hey @yunchanpaik glad to hear that worked for you! For the Studio issue, yes I don't believe Studio is set to look in team-provider-info for this detail, but we will keep that in mind as we work to improve this experience!

[mrcoles]

@josefaidt can you share more info on what can and can’t be done with team-provider-info.json?

1. Can any cli-inputs.json values be placed in the appropriate [env].categories.[category][resource_name] section of this file?
2. If a value is put in team-provider-info.json from an cli-inputs.json file, should I remove that entry from the cli-inputs file or leave it intact? Does the team-provider-info one take priority?
3. Is there a schema (or TypeScript interface) anywhere that shows exactly what can and cannot be put in the team-provider-info.json file?

[mrcoles]

@josefaidt following up on my prior question—I have an auth user pool fpcognito and I tried setting {env}.categories.auth.fpcognito.facebookAppId and {env}.categories.auth.fpcognito.googleClientId in my team-provider-info.json file, but it seems like values inside amplify/backend/awscloudformation/nested-cloudformation-stack.yml are taking precedence. Is there more info on what can be set where? (more info in the AWS Amplify discord)

[JPDepew]

@josefaidt thank you so much.