amazon-web-servicesreact-nativeamazon-cognitoaws-amplify

Google external provider redirect is coming from a different origin error

I have an Amplify Gen 2 app with Google SSO.

When developing locally and when using AWS generated domains like https://dev.app_id.amplifyapp.com Google SSO works great.

On Google Cloud credentials page I have set the Authorized JavaScript origins to https://cognito_id.auth.us-west-2.amazoncognito.com and the Authorized redirect URIs to https://cognito_id.auth.us-west-2.amazoncognito.com/oauth2/idpresponse

This is my define auth resource file

export const auth = defineAuth({
  loginWith: {
    email: true,
    externalProviders: {
      google: {
        clientId: secret('GOOGLE_CLIENT_ID'),
        clientSecret: secret('GOOGLE_CLIENT_SECRET'),
        scopes: ['email', 'profile'],
        attributeMapping: {
          givenName: 'given_name',
          familyName: 'family_name',

        }
      },
      callbackUrls: [process.env.FRONTEND_URL!],
      logoutUrls: [process.env.FRONTEND_URL!],
    }
  },//...

Where FRONTEND_URL is an env variable that has the URL for the client. When using AWS generated domains, the value is https://dev.app_id.amplifyapp.com

The issue is that when I added a custom domain to my frontend code, I also updated FRONTEND_URL in my backend env variable, but now when pressing the Google Sign In or Google Sign Up button, I get this error:

redirect is coming from a different origin. The oauth flow needs to be initiated from the same origin

Can you please let me know what I'm doing wrong? I'm using @aws-amplify/ui-react-native for the frontend UI

Solution

  • This error is basically an origin/redirect mismatch in OAuth flow. When using Google as an external provider with AWS Cognito or Amplify, you must ensure that:

    1. The front-end domain (custom domain) from which the OAuth initiation happens is registered in Google Cloud’s Authorized JavaScript origins.

    2. The redirect URI that Cognito is going to use (callback URL) is present in the Authorized redirect URIs list in Google Cloud Console, matching exactly (including scheme, domain, path).

    3. On AWS side (Cognito User Pool or Amplify Auth config), the callbackUrls (for sign-in) and logoutUrls etc. must include the custom domain.

    4. If you change front-end domain (e.g., move from AWS generated to custom), you must update both front-end and Google OAuth settings.

    Without that, Google rejects because it sees the request coming from an origin that’s not registered (violating its OAuth security policy)