Creating Amplify auth social sign-in throws error on hosted UI providers

[ykethan]

Before opening, please confirm:

• I have searched for duplicate or closed issues.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

App Id

d1qbjxyhsg82r

Region

us-east-1

Environment name

staging

Figma File Version (if applicable)

No response

Amplify CLI Version

10.5.2

If applicable, what version of Node.js are you using?

No response

What operating system are you using?

Mac

Browser type?

chrome

Describe the bug

Adding authentication with social sign-in as Apple causes the push to fail.
Passing in private key with -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY----- causes the hosted provider function to fail. The Amplify CLI only accepts the key without the comments.

The cloudwatch logs for callout function throws the following error

{
    "Status": "FAILED",
    "Reason": "See the details in CloudWatch Log Stream: ******",
    "PhysicalResourceId": "2022/12/02/[$LATEST]*****",
    "StackId": "****",
    "RequestId": "7550d102-29fc-4377-b31d-d5759f845fbd",
    "LogicalResourceId": "HostedUIProvidersCustomResourceInputs",
    "NoEcho": false,
    "Data": {
        "err": {
            "message": "Internal server error.",
            "code": "InternalErrorException",
            "time": "2022-12-02T10:12:13.234Z",
            "requestId": "dbc******",
            "statusCode": 500,
            "retryable": true
        }
    }
}

refer to aws-amplify/amplify-cli#11526 (comment) and aws-amplify/amplify-cli#11526 (comment) for additional information.

Expected behavior

Validate key the key or parse the key with correct information.

Reproduction steps

1. select authentication
2. remove email and add phone number as login mechanism
3. add social signin with apple
4. add credentials (i pasted the key in with the -----BEGIN PRIVATE KEY-----) and deploy

Project Identifier

No response

Additional information

No response

[johnpc]

It looks like Amplify CLI might have logic to extract the correct value:
https://github.com/aws-amplify/amplify-cli/blob/dev/packages/amplify-category-notifications/src/apns-cert-p12decoder.ts#L77-L90

[petercwk]

This seems to another possible code snippet that extracts the private key for the auth category.
https://github.com/aws-amplify/amplify-cli/blob/dev/packages/amplify-category-auth/src/provider-utils/awscloudformation/utils/extract-apple-private-key.ts

Not clear if it is working or if it is actually used in headless mode

[petercwk]

Root cause could be that Step 2 of the authentication workflow should be required, but customers are able to deploy without selecting one.

Selecting Email resulted in a successful deployment on my last test.

[ykethan]

Hey @petercwk, it failed in headless when i tested this: aws-amplify/amplify-cli#11526 (comment)

[petercwk]

Hey @petercwk, it failed in headless when i tested this: aws-amplify/amplify-cli#11526 (comment)

From the json payload, "requiredSignupAttributes": []. Could you try adding "PHONE_NUMBER"

[ykethan]

using that also fails. On deeper dive found that using Phone number may not be supported by apple sign in. Headless fails for the same reason but when changing to email this works. Need to check if Cognito actually supports Apple sign-in with phone number.

[ykethan]

Note: the improvement here is to add validation on the box to see if this is a valid key. The fix will need to be on the CLI.