feat(auth): add support for cognito oidc parameters in managed login

Author: thisisabhash

packages/auth/amplify_auth_cognito/lib/src/flows/hosted_ui/hosted_ui_platform_flutter.dart

@@ -94,6 +94,11 @@ class HostedUiPlatformImpl extends io.HostedUiPlatformImpl {
         signInRedirectUri.scheme,
         options.isPreferPrivateSession,
         options.browserPackageName,
+        options.nonce,
+        options.language,
+        options.loginHint,
+        options.prompt?.map((obj) => obj.value).toList(),
+        options.resource
       );
       dispatcher
           .dispatch(

packages/auth/amplify_auth_cognito/lib/src/native_auth_plugin.g.dart

@@ -21,7 +21,8 @@ platforms:
 dependencies:
   amplify_analytics_pinpoint: ">=2.7.0 <2.8.0"
   amplify_analytics_pinpoint_dart: ">=0.4.12 <0.5.0"
-  amplify_auth_cognito_dart: ">=0.11.14 <0.12.0"
+  amplify_auth_cognito_dart:
+    path: ../amplify_auth_cognito_dart
   amplify_core: ">=2.7.0 <2.8.0"
   amplify_flutter: ">=2.7.0 <2.8.0"
   amplify_secure_storage: ">=0.5.13 <0.6.0"

packages/auth/amplify_auth_cognito/pubspec.yaml

@@ -40,6 +40,7 @@ export 'src/model/signin/cognito_confirm_sign_in_plugin_options.dart';
 export 'src/model/signin/cognito_sign_in_plugin_options.dart';
 export 'src/model/signin/cognito_sign_in_result.dart';
 export 'src/model/signin/cognito_sign_in_with_web_ui_plugin_options.dart';
+export 'src/model/signin/cognito_sign_in_with_web_ui_plugin_options_prompt.dart';
 export 'src/model/signout/cognito_sign_out_plugin_options.dart';
 export 'src/model/signout/cognito_sign_out_result.dart';
 export 'src/model/signup/cognito_confirm_sign_up_plugin_options.dart';

packages/auth/amplify_auth_cognito_dart/lib/amplify_auth_cognito_dart.dart

@@ -1,6 +1,7 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+import 'package:amplify_auth_cognito_dart/amplify_auth_cognito_dart.dart';
 import 'package:amplify_core/amplify_core.dart';
 // ignore: implementation_imports
 import 'package:amplify_core/src/config/amplify_outputs/auth/oauth_outputs.dart';
@@ -26,7 +27,7 @@ extension HostedUiConfig on OAuthOutputs {
   /// References:
   /// - https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
   /// - https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html
-  Uri signInUri([AuthProvider? provider]) {
+  Uri signInUri([AuthProvider? provider, CognitoSignInWithWebUIPluginOptions? options]) {
     Uri baseUri;
     // ignore: invalid_use_of_internal_member
     if (this.signInUri != null) {
@@ -35,9 +36,20 @@ extension HostedUiConfig on OAuthOutputs {
     } else {
       baseUri = _webDomain.replace(path: '/oauth2/authorize');
     }
+
+    final nonce = options?.nonce;
+    final language = options?.language;
+    final loginHint = options?.loginHint;
+    final prompt = options?.prompt?.map((obj) => obj.value).toList().join(' ');
+    final resource = options?.resource;
     return baseUri.replace(
       queryParameters: <String, String>{
         if (provider != null) 'identity_provider': provider.uriParameter,
+        if (nonce != null) 'nonce': nonce,
+        if (language != null) 'lang': language,
+        if (loginHint != null) 'login_hint': loginHint,
+        if (prompt != null) 'prompt': prompt,
+        if (resource != null) 'resource': resource,
         // ignore: invalid_use_of_internal_member
         ...?signInUriQueryParameters,
       },

packages/auth/amplify_auth_cognito_dart/lib/src/flows/hosted_ui/hosted_ui_config.dart

@@ -102,7 +102,7 @@ abstract class HostedUiPlatform implements Closeable {
   @protected
   @visibleForTesting
   @nonVirtual
-  Future<Uri> getSignInUri({Uri? redirectUri, AuthProvider? provider}) async {
+  Future<Uri> getSignInUri({Uri? redirectUri, AuthProvider? provider, CognitoSignInWithWebUIPluginOptions? options}) async {
     final state = generateState();
     final codeVerifier = createCodeVerifier();
 
@@ -124,6 +124,7 @@ abstract class HostedUiPlatform implements Closeable {
       codeVerifier: codeVerifier,
       httpClient: httpClient,
       provider: provider,
+      options: options
     );
     final uri = _authCodeGrant!.getAuthorizationUrl(
       redirectUri ?? signInRedirectUri,
@@ -162,12 +163,13 @@ abstract class HostedUiPlatform implements Closeable {
     String userPoolClientId, {
     String? appClientSecret,
     AuthProvider? provider,
+    CognitoSignInWithWebUIPluginOptions? options,
     String? codeVerifier,
     http.Client? httpClient,
   }) {
     return oauth2.AuthorizationCodeGrant(
       userPoolClientId,
-      HostedUiConfig(authOutputs.oauth!).signInUri(provider),
+      HostedUiConfig(authOutputs.oauth!).signInUri(provider, options),
       HostedUiConfig(authOutputs.oauth!).tokenUri,
       secret: appClientSecret,
       httpClient: httpClient,

packages/auth/amplify_auth_cognito_dart/lib/src/flows/hosted_ui/hosted_ui_platform.dart

@@ -54,7 +54,7 @@ class HostedUiPlatformImpl extends HostedUiPlatform {
     required CognitoSignInWithWebUIPluginOptions options,
     AuthProvider? provider,
   }) async {
-    final signInUrl = (await getSignInUri(provider: provider)).toString();
+    final signInUrl = (await getSignInUri(provider: provider, options: options)).toString();
     await launchUrl(signInUrl);
   }
 

packages/auth/amplify_auth_cognito_dart/lib/src/flows/hosted_ui/hosted_ui_platform_html.dart

@@ -216,6 +216,7 @@ class HostedUiPlatformImpl extends HostedUiPlatform {
     try {
       final signInUrl = (await getSignInUri(
         provider: provider,
+        options: options,
         redirectUri: localServer.uri,
       )).toString();
       await launchUrl(signInUrl);

packages/auth/amplify_auth_cognito_dart/lib/src/flows/hosted_ui/hosted_ui_platform_io.dart

@@ -1,6 +1,7 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+import 'package:amplify_auth_cognito_dart/src/model/signin/cognito_sign_in_with_web_ui_plugin_options_prompt.dart';
 import 'package:amplify_core/amplify_core.dart';
 
 part 'cognito_sign_in_with_web_ui_plugin_options.g.dart';
@@ -14,6 +15,11 @@ class CognitoSignInWithWebUIPluginOptions extends SignInWithWebUIPluginOptions {
   const CognitoSignInWithWebUIPluginOptions({
     this.isPreferPrivateSession = false,
     this.browserPackageName,
+    this.nonce,
+    this.language,
+    this.loginHint,
+    this.prompt,
+    this.resource
   });
 
   /// {@macro amplify_auth_cognito.model.cognito_sign_in_with_web_ui_plugin_options}
@@ -40,8 +46,42 @@ class CognitoSignInWithWebUIPluginOptions extends SignInWithWebUIPluginOptions {
   /// {@endtemplate}
   final String? browserPackageName;
 
+  /// {@template amplify_auth_cognito.model.cognito_sign_in_with_web_ui_options.nonce}
+  /// A random value that you can add to the request. The nonce value that you provide is included in the ID token
+  /// that Amazon Cognito issues. To guard against replay attacks, your app can inspect the nonce claim in the ID
+  /// token and compare it to the one you generated. 
+  /// {@endtemplate}
+  final String? nonce;
+
+  /// {@template amplify_auth_cognito.model.cognito_sign_in_with_web_ui_options.language}
+  /// The language that you want to display user-interactive pages in
+  /// For more information, see Managed login localization -
+  /// https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization
+  /// {@endtemplate}
+  final String? language;
+
+  /// {@template amplify_auth_cognito.model.cognito_sign_in_with_web_ui_options.loginHint}
+  /// A username prompt that you want to pass to the authorization server. You can collect a username, email
+  /// address or phone number from your user and allow the destination provider to pre-populate the user's
+  /// sign-in name.
+  /// {@endtemplate}
+  final String? loginHint;
+
+  /// {@template amplify_auth_cognito.model.cognito_sign_in_with_web_ui_options.prompt}
+  /// An OIDC parameter that controls authentication behavior for existing sessions.
+  /// {@endtemplate}
+  final List<CognitoSignInWithWebUIPrompt>? prompt;
+
+  /// {@template amplify_auth_cognito.model.cognito_sign_in_with_web_ui_options.resource}
+  /// The identifier of a resource that you want to bind to the access token in the `aud` claim. When you include
+  /// this parameter, Amazon Cognito validates that the value is a URL and sets the audience of the resulting
+  /// access token to the requested resource. Values for this parameter must begin with "https://", "http://localhost",
+  /// or a custom URL scheme like "myapp://".
+  /// {@endtemplate}
+  final String? resource;
+
   @override
-  List<Object?> get props => [isPreferPrivateSession, browserPackageName];
+  List<Object?> get props => [isPreferPrivateSession, browserPackageName, nonce, language, loginHint, prompt, resource];
 
   @override
   String get runtimeTypeName => 'CognitoSignInWithWebUIPluginOptions';

packages/auth/amplify_auth_cognito_dart/lib/src/model/signin/cognito_sign_in_with_web_ui_plugin_options.dart

@@ -0,0 +1,38 @@
+import 'package:json_annotation/json_annotation.dart';
+
+/// {@macro amplify_auth_cognito.model.cognito_sign_in_with_web_ui_options.prompt}
+enum CognitoSignInWithWebUIPrompt {
+  /// Amazon Cognito silently continues authentication for users who have a valid authenticated session.
+  /// With this prompt, users can silently authenticate between different app clients in your user pool.
+  /// If the user is not already authenticated, the authorization server returns a login_required error.
+  @JsonValue('none')
+  none('none'),
+
+  /// Amazon Cognito requires users to re-authenticate even if they have an existing session. Send this
+  /// value when you want to verify the user's identity again. Authenticated users who have an existing
+  /// session can return to sign-in without invalidating that session. When a user who has an existing
+  /// session signs in again, Amazon Cognito assigns them a new session cookie. This parameter can also
+  /// be forwarded to your IdPs. IdPs that accept this parameter also request a new authentication
+  /// attempt from the user.
+  @JsonValue('login')
+  login('login'),
+
+  /// This value has no effect on local sign-in and must be submitted in requests that redirect to IdPs.
+  /// When included in your authorization request, this parameter adds prompt=select_account to the URL
+  /// path for the IdP redirect destination. When IdPs support this parameter, they request that users
+  /// select the account that they want to log in with.
+  @JsonValue('select_account')
+  selectAccount('select_account'),
+
+  /// This value has no effect on local sign-in and must be submitted in requests that redirect to IdPs.
+  /// When included in your authorization request, this parameter adds prompt=consent to the URL path for
+  /// the IdP redirect destination. When IdPs support this parameter, they request user consent before
+  /// they redirect back to your user pool.
+  @JsonValue('consent')
+  consent('consent');
+
+  const CognitoSignInWithWebUIPrompt(this.value);
+
+  /// String value for the enumeration
+  final String value;
+}