Authentication Directly with Custom Auth Provider (Okta)

[oconpa]

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication

Is this related to another service?

AppSync API Authentication

Describe the feature you'd like to request

Can we introduce an ability in amplify V6 to authenticate directly to a custom authentication provider; without passing through a Cognito User Pool. This feature was possible in v5, I have worked with customers using this in the production loads and would like to see it continued in Amplify V6.

Feedback on it's current setup in v6 is that usage of Cognito would mean customers can find themselves in a out of sync system, where users are removed from the Okta platform, however exist until removed on user pools connected. This way they would like that all systems authenticate directly to Okta.

Describe the solution you'd like

In Amplify v5 this was achieved through the lower excerpt of code configured in the aws-config.ts, which is passed to Amplify.Configure().

# Amplify V5

const awsconfig = {
  oauth: {
    WebDomain: "xxxxxxxxxxx.okta-<region>.com",
    FederationTarget: "okta",
  },
  aws_appsync_graphqlEndpoint: `${process.env.REACT_APP_APPSYNCAPI}`,
  aws_appsync_region: `${process.env.REACT_APP_REGION}`,
  ...
};

I would suggest duplicating this feature in the newer Amplify V6 in the following format:

# Amplify V6

Amplify.configure({
  Auth: {
    Cognito: {...},
    Custom: {
      OAuth: {
        WebDomain: "xxxxxxxxxxx.okta-<region>.com",
        FederationTarget: "okta",
      },
    },
  },
});

Describe alternatives you've considered

Without this ability customers running workloads either remain on v5, or look to migrate away from Amplify in favor of a custom framework which allows them to directly authenticate with their chosen authentication framework. It's a blocker in using Amplify if it's fixed for Cognito usage.

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[e-mar-para]

We are currently using v5 and would like to upgrade to v6, but this is blocking us since our company requires Okta auth. Thanks.

[israx]

Amplify v6 allows to federate to an identity pool with a idp. You would need to create a custom credentials provider. You can review this section

[cwomack]

@oconpa and @e-mar-para, let us know if the guidance and docs link provided above help resolve the issue with getting Okta integrated and used as your custom Auth provider. Depending on how you're looking to configure Auth, you may also need to use additional fields within the scoped configuration. Let us know if there are additional questions or issues!

[oconpa]

I think it would be highly beneficial to see here or in the docs an example of this specific use case migrated from Amplify V5 to V6. Much of the authentication processing behind the scenes if not presented on glance from the Amplify.configure step:

oauth: {
    WebDomain: "xxxxxxxxxxx.okta-<region>.com",
    FederationTarget: "okta",
},

Could you provide an example of how one would migrate from this step into the setup of a basic okta application using the custom step presented above?