feat(Auth): Allow sending login_hint, lang and nonce on signInWithRed…

…irects (#14089) * feat(Auth): Allow sending login_hint, lang and nonce on signInWithRedirects (#8951) * chore(auth): Use the cognito languages as suggestions and add docs for parameters
aws-amplify · Jan 10, 2025 · a4063a1 · a4063a1
1 parent f2a0b74
commit a4063a1
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 0 deletions.
diff --git a/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts b/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts
@@ -295,6 +295,7 @@ describe('signInWithRedirect', () => {
 			);
 			expect(mockHandleFailure).toHaveBeenCalledWith(expectedError);
 		});
+
 		it('should not set the Oauth flag on non-browser environments', async () => {
 			const mockOpenAuthSessionResult = {
 				type: 'success',
@@ -308,6 +309,28 @@ describe('signInWithRedirect', () => {
 
 			expect(oAuthStore.storeOAuthInFlight).toHaveBeenCalledTimes(0);
 		});
+
+		it('should send the login_hint, lang and nonce in the query string if provided', async () => {
+			await signInWithRedirect({
+				provider: 'Google',
+				options: {
+					loginHint: '[email protected]',
+					lang: 'en',
+					nonce: '88388838883',
+				},
+			});
+
+			const [oauthUrl, redirectSignIn, preferPrivateSession] =
+				mockOpenAuthSession.mock.calls[0];
+
+			expect(oauthUrl).toStrictEqual(
+				'https://oauth.domain.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=Google&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&login_hint=someone%40gmail.com&lang=en&nonce=88388838883&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256',
+			);
+			expect(redirectSignIn).toEqual(
+				mockAuthConfigWithOAuth.Auth.Cognito.loginWith.oauth.redirectSignIn,
+			);
+			expect(preferPrivateSession).toBeUndefined();
+		});
 	});
 
 	describe('errors', () => {

diff --git a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
@@ -57,6 +57,11 @@ export async function signInWithRedirect(
 		provider,
 		customState: input?.customState,
 		preferPrivateSession: input?.options?.preferPrivateSession,
+		options: {
+			loginHint: input?.options?.loginHint,
+			lang: input?.options?.lang,
+			nonce: input?.options?.nonce,
+		},
 	});
 }
 
@@ -66,14 +71,17 @@ const oauthSignIn = async ({
 	clientId,
 	customState,
 	preferPrivateSession,
+	options,
 }: {
 	oauthConfig: OAuthConfig;
 	provider: string;
 	clientId: string;
 	customState?: string;
 	preferPrivateSession?: boolean;
+	options?: SignInWithRedirectInput['options'];
 }) => {
 	const { domain, redirectSignIn, responseType, scopes } = oauthConfig;
+	const { loginHint, lang, nonce } = options ?? {};
 	const randomState = generateState();
 
 	/* encodeURIComponent is not URL safe, use urlSafeEncode instead. Cognito
@@ -99,6 +107,10 @@ const oauthSignIn = async ({
 		client_id: clientId,
 		identity_provider: provider,
 		scope: scopes.join(' '),
+		// eslint-disable-next-line camelcase
+		...(loginHint && { login_hint: loginHint }),
+		...(lang && { lang }),
+		...(nonce && { nonce }),
 		state,
 		...(responseType === 'code' && {
 			code_challenge: toCodeChallenge(),

diff --git a/packages/auth/src/types/inputs.ts b/packages/auth/src/types/inputs.ts
@@ -68,6 +68,33 @@ export interface AuthSignInWithRedirectInput {
 		 * On all other platforms, this flag is ignored.
 		 */
 		preferPrivateSession?: boolean;
+		/**
+		 * A username prompt that you want to pass to the authorization server. You can collect a username, email address or phone number from your user and allow the destination provider to pre-populate the user's sign-in name. When you submit a `login_hint` parameter and no `idp_identifier` or `identity_provider` parameters to the `/oauth2/authorize` endpoint, managed login fills the username field with your hint value. You can also pass this parameter to the Login endpoint and automatically fill the username value.
+		 * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
+		 */
+		loginHint?: string;
+		/**
+		 * The language that you want to display user-interactive pages in. Managed login pages can be localized, but hosted UI (classic) pages can not
+		 * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
+		 */
+		lang?:
+			| 'de'
+			| 'en'
+			| 'es'
+			| 'fr'
+			| 'id'
+			| 'it'
+			| 'ja'
+			| 'ko'
+			| 'pt-BR'
+			| 'zh-CN'
+			| 'zh-TW'
+			| (string & NonNullable<unknown>);
+		/**
+		 * A random value that you can add to the request. The nonce value that you provide is included in the ID token that Amazon Cognito issues. To guard against replay attacks, your app can inspect the `nonce` claim in the ID token and compare it to the one you generated.
+		 * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
+		 */
+		nonce?: string;
 	};
 }