feat(auth): support custom domain prefix for cognito domain in user pool

.changeset/stupid-times-knock.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/backend-auth': patch
+---
+
+feat(auth): support custom domain prefix for cognito domain in user pool

packages/backend-auth/src/factory.ts

@@ -161,17 +161,14 @@ class AmplifyAuthGenerator implements ConstructContainerEntryGenerator {
       loginWith: translateToAuthConstructLoginWith(
         this.props.loginWith,
         backendSecretResolver,
+        stableBackendIdentifiers,
       ),
       senders: translateToAuthConstructSenders(
         this.props.senders,
         this.getInstanceProps,
       ),
       outputStorageStrategy: this.getInstanceProps.outputStorageStrategy,
     };
-    if (authProps.loginWith.externalProviders) {
-      authProps.loginWith.externalProviders.domainPrefix =
-        stableBackendIdentifiers.getStableBackendHash();
-    }
 
     let authConstruct: AmplifyAuth;
     try {

packages/backend-auth/src/translate_auth_props.test.ts

@@ -3,6 +3,7 @@ import {
   BackendSecret,
   BackendSecretResolver,
   ResolvePathResult,
+  StableBackendIdentifiers,
 } from '@aws-amplify/plugin-types';
 import { describe, it } from 'node:test';
 import { AuthLoginWithFactoryProps } from './types.js';
@@ -31,6 +32,8 @@ const appleKeyId = 'appleKeyId';
 const applePrivateKey = 'applePrivateKey';
 const callbackUrls = ['a', 'b'];
 const logoutUrls = ['a', 'b'];
+const stableBackendHash = 'testStableBackendHash';
+const domainPrefix = 'testDomainPrefix';
 
 const testBackendIdentifier: BackendIdentifier = {
   namespace: 'testBackendId',
@@ -68,8 +71,15 @@ class TestBackendSecretResolver implements BackendSecretResolver {
   };
 }
 
+class TestStableBackendIdentifiers implements StableBackendIdentifiers {
+  getStableBackendHash = (): string => {
+    return stableBackendHash;
+  };
+}
+
 void describe('translateToAuthConstructLoginWith', () => {
   const backendResolver = new TestBackendSecretResolver();
+  const stableBackendIdentifiers = new TestStableBackendIdentifiers();
 
   void it('translates with external providers', () => {
     const loginWith: AuthLoginWithFactoryProps = {
@@ -108,6 +118,7 @@ void describe('translateToAuthConstructLoginWith', () => {
     const translated = translateToAuthConstructLoginWith(
       loginWith,
       backendResolver,
+      stableBackendIdentifiers,
     );
 
     const expected: AuthProps['loginWith'] = {
@@ -140,6 +151,7 @@ void describe('translateToAuthConstructLoginWith', () => {
         },
         callbackUrls: callbackUrls,
         logoutUrls: logoutUrls,
+        domainPrefix: stableBackendHash,
       },
     };
     assert.deepStrictEqual(translated, expected);
@@ -157,15 +169,68 @@ void describe('translateToAuthConstructLoginWith', () => {
     const translated = translateToAuthConstructLoginWith(
       loginWith,
       backendResolver,
+      stableBackendIdentifiers,
     );
 
     const expected: AuthProps['loginWith'] = {
       phone,
       externalProviders: {
         callbackUrls: callbackUrls,
         logoutUrls: logoutUrls,
+        domainPrefix: stableBackendHash,
+      },
+    };
+    assert.deepStrictEqual(translated, expected);
+  });
+
+  void it('translates without custom domain prefix', () => {
+    const loginWith: AuthLoginWithFactoryProps = {
+      externalProviders: {
+        callbackUrls: callbackUrls,
+        logoutUrls: logoutUrls,
+      },
+    };
+
+    const translated = translateToAuthConstructLoginWith(
+      loginWith,
+      backendResolver,
+      stableBackendIdentifiers,
+    );
+
+    const expected: AuthProps['loginWith'] = {
+      externalProviders: {
+        callbackUrls,
+        logoutUrls,
+        domainPrefix: stableBackendHash,
       },
     };
+
+    assert.deepStrictEqual(translated, expected);
+  });
+
+  void it('translates with custom domain prefix', () => {
+    const loginWith: AuthLoginWithFactoryProps = {
+      externalProviders: {
+        callbackUrls: callbackUrls,
+        logoutUrls: logoutUrls,
+        domainPrefix: domainPrefix,
+      },
+    };
+
+    const translated = translateToAuthConstructLoginWith(
+      loginWith,
+      backendResolver,
+      stableBackendIdentifiers,
+    );
+
+    const expected: AuthProps['loginWith'] = {
+      externalProviders: {
+        callbackUrls,
+        logoutUrls,
+        domainPrefix: domainPrefix,
+      },
+    };
+
     assert.deepStrictEqual(translated, expected);
   });
 
@@ -177,6 +242,7 @@ void describe('translateToAuthConstructLoginWith', () => {
     const translated = translateToAuthConstructLoginWith(
       loginWith,
       backendResolver,
+      stableBackendIdentifiers,
     );
 
     const expected: AuthProps['loginWith'] = {

packages/backend-auth/src/translate_auth_props.ts

@@ -9,6 +9,7 @@ import {
 import {
   BackendSecretResolver,
   ConstructFactoryGetInstanceProps,
+  StableBackendIdentifiers,
 } from '@aws-amplify/plugin-types';
 import {
   AmazonProviderFactoryProps,
@@ -26,10 +27,13 @@ import { AmplifyAuthProps } from './factory.js';
  * Translate an Auth factory's loginWith to its Auth construct counterpart. Backend secret fields will be resolved
  * to an CFN token and map to the required construct type. Note that not all construct secret fields are of sdk
  * SecretValue type, many are (wrongly) of type string as well.
+ *
+ * The domain prefix will be used if specified, otherwise a default domain prefix will be generated.
  */
 export const translateToAuthConstructLoginWith = (
   authFactoryLoginWith: AuthLoginWithFactoryProps,
   backendSecretResolver: BackendSecretResolver,
+  stableBackendIdentifiers: StableBackendIdentifiers,
 ): AuthProps['loginWith'] => {
   const result: AuthProps['loginWith'] =
     authFactoryLoginWith as AuthProps['loginWith'];
@@ -82,6 +86,14 @@ export const translateToAuthConstructLoginWith = (
     result.externalProviders.google = googleProps;
   }
 
+  const domainPrefix = translateDomainPrefix(
+    stableBackendIdentifiers,
+    externalProviders.domainPrefix,
+  );
+  if (domainPrefix) {
+    result.externalProviders.domainPrefix = domainPrefix;
+  }
+
   return result;
 };
 /**
@@ -159,14 +171,14 @@ const translateAmazonProps = (
 
 const translateAppleProps = (
   backendSecretResolver: BackendSecretResolver,
-  amazonProviderProps?: AppleProviderFactoryProps,
+  appleProviderProps?: AppleProviderFactoryProps,
 ): AppleProviderProps | undefined => {
-  if (!amazonProviderProps) {
+  if (!appleProviderProps) {
     return undefined;
   }
 
   const { clientId, teamId, keyId, privateKey, ...noSecretProps } =
-    amazonProviderProps;
+    appleProviderProps;
   return {
     ...noSecretProps,
     clientId: backendSecretResolver.resolveSecret(clientId).unsafeUnwrap(),
@@ -236,3 +248,13 @@ const translateGoogleProps = (
     clientSecret: backendSecretResolver.resolveSecret(clientSecretValue),
   };
 };
+
+const translateDomainPrefix = (
+  stableBackendIdentifiers: StableBackendIdentifiers,
+  domainPrefix?: string,
+): string | undefined => {
+  if (!domainPrefix) {
+    return stableBackendIdentifiers.getStableBackendHash();
+  }
+  return domainPrefix;
+};

packages/backend-auth/src/types.ts

@@ -142,12 +142,7 @@ export type OidcProviderFactoryProps = Omit<
  */
 export type ExternalProviderGeneralFactoryProps = Omit<
   ExternalProviderOptions,
-  | 'signInWithApple'
-  | 'loginWithAmazon'
-  | 'facebook'
-  | 'oidc'
-  | 'google'
-  | 'domainPrefix'
+  'signInWithApple' | 'loginWithAmazon' | 'facebook' | 'oidc' | 'google'
 >;
 
 /**