1

I have an Amplify Gen 2 app with Google SSO.

When developing locally and when using AWS generated domains like https://dev.app_id.amplifyapp.com Google SSO works great.

On Google Cloud credentials page I have set the Authorized JavaScript origins to https://cognito_id.auth.us-west-2.amazoncognito.com and the Authorized redirect URIs to https://cognito_id.auth.us-west-2.amazoncognito.com/oauth2/idpresponse

This is my define auth resource file

export const auth = defineAuth({
  loginWith: {
    email: true,
    externalProviders: {
      google: {
        clientId: secret('GOOGLE_CLIENT_ID'),
        clientSecret: secret('GOOGLE_CLIENT_SECRET'),
        scopes: ['email', 'profile'],
        attributeMapping: {
          givenName: 'given_name',
          familyName: 'family_name',

        }
      },
      callbackUrls: [process.env.FRONTEND_URL!],
      logoutUrls: [process.env.FRONTEND_URL!],
    }
  },//...

Where FRONTEND_URL is an env variable that has the URL for the client. When using AWS generated domains, the value is https://dev.app_id.amplifyapp.com

The issue is that when I added a custom domain to my frontend code, I also updated FRONTEND_URL in my backend env variable, but now when pressing the Google Sign In or Google Sign Up button, I get this error:

redirect is coming from a different origin. The oauth flow needs to be initiated from the same origin

Can you please let me know what I'm doing wrong? I'm using @aws-amplify/ui-react-native for the frontend UI

Improve this question

1 Answer 1

Reset to default
1

This error is basically an origin/redirect mismatch in OAuth flow. When using Google as an external provider with AWS Cognito or Amplify, you must ensure that:

  1. The front-end domain (custom domain) from which the OAuth initiation happens is registered in Google Cloud’s Authorized JavaScript origins.

  2. The redirect URI that Cognito is going to use (callback URL) is present in the Authorized redirect URIs list in Google Cloud Console, matching exactly (including scheme, domain, path).

  3. On AWS side (Cognito User Pool or Amplify Auth config), the callbackUrls (for sign-in) and logoutUrls etc. must include the custom domain.

  4. If you change front-end domain (e.g., move from AWS generated to custom), you must update both front-end and Google OAuth settings.

Without that, Google rejects because it sees the request coming from an origin that’s not registered (violating its OAuth security policy)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

does having a different domain in the frontend vs the backend affect it? I was able to make it work but I'm not sure if having the backend with the old .amplifyapp.com domain was preventing it from working. I get your point and after adding the custom domain to Google Cloud's Authorized JS Origins I was able to make it work, but just not sure if the AWS domain part was also causing this bug.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.