Expose OAuth class through Auth module

[jglesner]

Is this related to a new or existing framework?

No response

Is this related to a new or existing API?

No response

Is this related to another service?

No response

Describe the feature you'd like to request

In issue #8632, I highlighted the fact that there is limited documentation/support to programmatically create a user session using Cognito (id, access, refresh) tokens. In the solution I provided to my own question, I am using a private method in the Auth module: _oAuthHandler. My approach bypasses the compile time checking, since this method is marked private, which isn't a good long-term solution.

I use the _oAuthHandler method for access to the OAuth class, which has the handleAuthResponse method to conveniently process a cognito response url. I use this method to process the cognito response url directly because (1) I retrieve the response url from an in app browser window (which the native urlListener can't do), and (2) there is limited third party package support for deep linking to handle out of app redirects. Therefore, I would like to see (a) the _oAuthHandler method made public, or (b) the OAuth class (or the OAuth.handleAuthResponse method) made accessible through Auth or the aws-amplify package.

While it is possible for someone to write their own RESTful method to process the cognito response url, what's the point of doing that when the AWS Amplify package exists?

Describe the solution you'd like

I would like the _oAuthHandler method to be made public so that I can access the OAuth class without having to bypass the fact tha the _oAuthHandler is currently private, and so that I/others know that this method will be supported into the future.

If _oAuthHandler is made public, you would want to drop the _ at the front. And I would use it like so:

import { Auth } from "aws-amplify";
import * as AmazonCognitoIdentity from "amazon-cognito-identity-js";

// passing a valid cognito response url with authorization_code and state
Auth.oAuthHandler.handleAuthResponse(url).then((resp) => {

    // using the id, access and refresh tokens provided by the AuthHandler:
    const AccessToken = new AmazonCognitoIdentity.CognitoAccessToken({
           AccessToken: resp.accessToken,
    });
                
    const IdToken = new AmazonCognitoIdentity.CognitoIdToken({
          IdToken: resp.idToken,
    });

    const RefreshToken = new AmazonCognitoIdentity.CognitoRefreshToken({
           RefreshToken: resp.refreshToken,
    });

    const sessionData = {
          IdToken: IdToken,
          AccessToken: AccessToken,
          RefreshToken: RefreshToken,
    };

    const session = new AmazonCognitoIdentity.CognitoUserSession(
          sessionData
    );
});

The cognito user session can be picked up by Amplify using the second part of my solution.

Describe alternatives you've considered

The alternative is to make a REST call to the Cognito API, or bypass compile time checking, which isn't a good solution.

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[SebastianKurp]

+1 This would be useful in cases where you need to setup SAML federated access

[cxonexus-github-admin]

+1 Setting up SAML Federated access and am working on this exact issue right now.

[stemwinder]

+1 SAML federated scenarios

[bobthebuilder1997]

+1 SAML federated scenarios

[chanpod]

Need for some micro UI SSR scenario's (so basically a federated setup I think)

[abdallahshaban557]

Hi @jglesner - I want to make sure I am understanding your use case properly - you are using federatedSignIn, but then need to create a user session which produces the id, access, refresh token sessions programmatically as part of that flow?

[jglesner]

@abdallahshaban557 In my particular case, I'm using federatedSignIn in a pop-up browser window within a JS mobile app, and once complete, I have the Cognito URL. I want public access to the Auth class so that I can process it. So I need a programmatic alternative to urlListener. If Auth.oAuthHandler.handleAuthResponse were public, I can achieve this.

Using the handleAuthResponse is a means to an end -- ultimately I want to create a cognito session recognized by Amplify. One way to do that, is to use the id, access, and refresh tokens I receive from handleAuthResponse to create a valid Amplify session, as I demonstrate in #8632.

[abdallahshaban557]

Hi @jglesner -and for your particular use case using the AWS credentials is not enough to access resources you might need? you need to create a session and retrieve all the tokens you get with userpool sign in?

[jglesner]

@abdallahshaban557 no, this isn’t so I can log in. this is a mobile app backed by cognito designed to let users of the app create accounts. As I explained, I don’t need the tokens as much as I need to process a cognito url and create an Amplify cognito user session.

[saconnolly]

@abdallahshaban557 Has there been any update on this? From what I can see, @jglesner proposed solution is the best option as of now and none of us love using a private function.

In my opinion, the best option would be leaving Amplify out of the solution and adding handleAuthResponse to the amazon-cognito-identity-js package. Currently the amazon-cognito-identity-js doesn't have a documented solution for how to support Authorization Code Flow for OAuth and this seems like the best way to start

[abdallahshaban557]

@saconnolly - we do not have an update yet. Thank you for that suggestion, however we are not making update to the amazon-cognito-identity-js package in the near future.