oAuth section is missing from the legecy (gen 1) config

[Jordan-Nelson]

Environment information

System:
  OS: macOS 13.6.6
  CPU: (10) arm64 Apple M1 Pro
  Memory: 175.64 MB / 32.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 18.16.0 - ~/.nvm/versions/node/v18.16.0/bin/node
  Yarn: 1.22.19 - ~/.nvm/versions/node/v18.16.0/bin/yarn
  npm: 9.5.1 - ~/.nvm/versions/node/v18.16.0/bin/npm
  pnpm: 8.6.11 - ~/Library/pnpm/pnpm
NPM Packages:
  @aws-amplify/backend: 1.0.2
  @aws-amplify/backend-cli: 1.0.3
  aws-amplify: 6.3.2
  aws-cdk: 2.142.1
  aws-cdk-lib: 2.142.1
  typescript: 5.4.5
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Description

Note: The repro steps use .addOutputs to reproduce this, but it appears to be reproducible with an app that uses defineAuth() to add the oauth config. See: aws-amplify/amplify-flutter#4922

Steps to reproduce:

1. Create a backend with a non-gen-2 auth backend that uses oAuth (see example below)
2. generate the legacy (gen 1) config (npx ampx generate outputs --format dart --out-dir lib --outputs-version 0)
3. observe that the oAuth info is missing from the config
4. generate the gen 2 config (npx ampx generate outputs --format dart --out-dir lib)
5. observe that the oAuth section is present

Expected Behavior: oAuth is present in both gen 1 and gen 2 config formats.
Actual Behavior: oAuth is missing when using the gen 1 config format.

// example backend

import { defineBackend } from "@aws-amplify/backend";

defineBackend({}).addOutput({
  auth: {
    aws_region: "us-east-1",
    user_pool_id: "fake-user-pool",
    user_pool_client_id: "fake-client-id",
    identity_pool_id: "fake-identity-pool-id",
    password_policy: {
      min_length: 8,
      require_numbers: true,
      require_lowercase: true,
      require_uppercase: true,
      require_symbols: true,
    },
    oauth: {
      identity_providers: [
        "GOOGLE",
        "FACEBOOK",
        "LOGIN_WITH_AMAZON",
        "SIGN_IN_WITH_APPLE",
      ],
      domain: "fake-domain",
      scopes: ["scope-1", "scope-2"],
      redirect_sign_in_uri: ["sign-in-redirect-1", "sign-in-redirect-2"],
      redirect_sign_out_uri: ["sign-out-redirect-1", "sign-out-redirect-2"],
      response_type: "code",
    },
    standard_required_attributes: ["email", "name"],
    username_attributes: ["email"],
    user_verification_types: ["email"],
    unauthenticated_identities_enabled: true,
    mfa_configuration: "OPTIONAL",
    mfa_methods: ["SMS", "TOTP"],
  },
});

gen 2 outputs (oAuth present)

const amplifyConfig = '''{
  "version": "1",
  "auth": {
    "aws_region": "us-east-1",
    "user_pool_id": "fake-user-pool",
    "user_pool_client_id": "fake-client-id",
    "identity_pool_id": "fake-identity-pool-id",
    "password_policy": {
      "min_length": 8,
      "require_numbers": true,
      "require_lowercase": true,
      "require_uppercase": true,
      "require_symbols": true
    },
    "oauth": {
      "identity_providers": [
        "GOOGLE",
        "FACEBOOK",
        "LOGIN_WITH_AMAZON",
        "SIGN_IN_WITH_APPLE"
      ],
      "domain": "fake-domain",
      "scopes": [
        "scope-1",
        "scope-2"
      ],
      "redirect_sign_in_uri": [
        "sign-in-redirect-1",
        "sign-in-redirect-2"
      ],
      "redirect_sign_out_uri": [
        "sign-out-redirect-1",
        "sign-out-redirect-2"
      ],
      "response_type": "code"
    },
    "standard_required_attributes": [
      "email",
      "name"
    ],
    "username_attributes": [
      "email"
    ],
    "user_verification_types": [
      "email"
    ],
    "unauthenticated_identities_enabled": true,
    "mfa_configuration": "OPTIONAL",
    "mfa_methods": [
      "SMS",
      "TOTP"
    ]
  }
}''';

gen 1 config (oAuth missing)

const amplifyConfig = '''{
  "UserAgent": "@aws-amplify/client-config/1.0.2",
  "Version": "1.0",
  "auth": {
    "plugins": {
      "awsCognitoAuthPlugin": {
        "UserAgent": "@aws-amplify/client-config/1.0.2",
        "Version": "1.0",
        "CognitoUserPool": {
          "Default": {
            "PoolId": "fake-user-pool",
            "AppClientId": "fake-client-id",
            "Region": "us-east-1"
          }
        },
        "CredentialsProvider": {
          "CognitoIdentity": {
            "Default": {
              "PoolId": "fake-identity-pool-id",
              "Region": "us-east-1"
            }
          }
        },
        "Auth": {
          "Default": {
            "authenticationFlowType": "USER_SRP_AUTH",
            "mfaConfiguration": "OPTIONAL",
            "mfaTypes": [
              "SMS",
              "TOTP"
            ],
            "passwordProtectionSettings": {
              "passwordPolicyMinLength": 8,
              "passwordPolicyCharacters": [
                "REQUIRES_NUMBERS",
                "REQUIRES_LOWERCASE",
                "REQUIRES_UPPERCASE",
                "REQUIRES_SYMBOLS"
              ]
            },
            "signupAttributes": [
              "EMAIL",
              "NAME"
            ],
            "usernameAttributes": [
              "EMAIL"
            ],
            "verificationMechanisms": [
              "EMAIL"
            ]
          }
        },
      }
    }
  }
}''';

[josefaidt]

Hey @Jordan-Nelson 👋 thanks for raising this! Marking as a bug

[Jordan-Nelson]

This doesn't appear to be fully resolved. The oAuth section is now present, but it is missing the user pool client id. Also the socialProviders section (oauth.identity_providers in gen2) is missing.

[0618]

Just to clarify the first step

Create a backend with a non-gen-2 auth backend that uses oAuth (see example below)

But the example uses import { defineBackend } from "@aws-amplify/backend"; which is Gen2. Is there a typo?

[Jordan-Nelson]

Apologies for the confusion. By "non-gen-2" backend, I meant an app that is using an existing Cognito resource.

However, this issue can be reproduced with a gen 2 app as well. See the steps below.

Reproduction steps using Gen 2:

1. Follow the first 3 steps from the quick start here: https://docs.amplify.aws/flutter/start/quickstart/
   • run flutter create my_amplify_app
   • run cd my_amplify_app
   • run npm create amplify@latest -y
2. update amplify/auth/resource.ts with the following code:

import { defineAuth, secret } from "@aws-amplify/backend";

export const auth = defineAuth({
  loginWith: {
    email: true,
    externalProviders: {
      google: {
        clientId: secret("google_client_id"),
        clientSecret: secret("google_client_secret"),
        scopes: ["email", "profile"],
      },
      callbackUrls: ["myapp://"],
      logoutUrls: ["myapp://"],
    },
  },
});

3. add the the two secrets:
   • run npx ampx sandbox secret set google_client_id and then enter any string
   • run npx ampx sandbox secret set google_client_secret and then enter any string
4. run npx ampx sandbox --outputs-format dart --outputs-out-dir lib --outputs-version 0
5. Observe the OAuth section of the config located at lib/amplifyconfiguration.dart does not have the AppClientId (this is preventing all customers from using Gen 2 with oAuth & Flutter)
6. Observe the Auth.Default section of the config located at lib/amplifyconfiguration.dart does not have the socialProviders

[0618]

Thanks for the detailed reproduction @Jordan-Nelson ! I was able to reproduce the issue mostly. Only one question:

Observe the OAuth section of the config located at lib/amplifyconfiguration.dart does not have the AppClientId (this is preventing all customers from using Gen 2 with oAuth & Flutter)

Did you mean no AppClientId in amplify_outputs.dart? I do see AppClientId in amplifyconfiguration.dart .
AppClientId is user_pool_client_idin amplify_outputs.dart

[Amplifiyer]

Closing as the last issue is resolved in PR #1655