feat(auth): add prompt parameter to signInWithRedirect (#14464)

* feat(auth): add prompt parameter to signInWithRedirect

Author: adrianjoshua-strutt

packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts

@@ -24,6 +24,7 @@ import { createOAuthError } from '../../../src/providers/cognito/utils/oauth/cre
 import { signInWithRedirect } from '../../../src/providers/cognito/apis/signInWithRedirect';
 import type { OAuthStore } from '../../../src/providers/cognito/utils/types';
 import { mockAuthConfigWithOAuth } from '../../mockData';
+import { type AuthPrompt } from '../../../src/types/inputs';
 
 jest.mock('@aws-amplify/core/internals/utils', () => ({
 	...jest.requireActual('@aws-amplify/core/internals/utils'),
@@ -107,6 +108,13 @@ describe('signInWithRedirect', () => {
 	const mockCodeChallenge = 'code_challenge';
 	const mockToCodeChallenge = jest.fn(() => mockCodeChallenge);
 
+	const promptTypes = [
+		'NONE',
+		'LOGIN',
+		'CONSENT',
+		'SELECT_ACCOUNT',
+	] as const satisfies readonly AuthPrompt[];
+
 	beforeAll(() => {
 		mockGenerateState.mockReturnValue(mockState);
 		mockGenerateCodeVerifier.mockReturnValue({
@@ -189,6 +197,42 @@ describe('signInWithRedirect', () => {
 		expect(mockUrlSafeEncode).toHaveBeenCalledWith(expectedCustomState);
 	});
 
+	it('includes prompt parameter in authorization URL', async () => {
+		for (const prompt of promptTypes) {
+			const expectedCustomProvider = 'PieAuth';
+			await signInWithRedirect({
+				provider: { custom: expectedCustomProvider },
+				options: { prompt },
+			});
+			const [oauthUrl] = mockOpenAuthSession.mock.calls[0];
+			const cognitoPrompt = prompt.toLowerCase();
+			expect(oauthUrl).toStrictEqual(
+				`https://oauth.domain.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedCustomProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&prompt=${cognitoPrompt}&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
+			);
+			mockOpenAuthSession.mockClear();
+		}
+	});
+
+	it('calls assertUserNotAuthenticated based on prompt value', async () => {
+		for (const prompt of promptTypes) {
+			const expectedCustomProvider = 'PieAuth';
+			await signInWithRedirect({
+				provider: { custom: expectedCustomProvider },
+				options: { prompt },
+			});
+
+			expect(mockAssertUserNotAuthenticated).not.toHaveBeenCalled();
+
+			mockAssertUserNotAuthenticated.mockClear();
+			mockOpenAuthSession.mockClear();
+		}
+
+		// Test no options at all
+		await signInWithRedirect();
+		expect(mockAssertUserNotAuthenticated).toHaveBeenCalled();
+		mockAssertUserNotAuthenticated.mockClear();
+	});
+
 	describe('specifications on Web', () => {
 		describe('side effect', () => {
 			it('attaches oauth listener to the Amplify singleton', async () => {

packages/auth/src/providers/cognito/apis/signInWithRedirect.ts

@@ -41,7 +41,10 @@ export async function signInWithRedirect(
 	assertTokenProviderConfig(authConfig);
 	assertOAuthConfig(authConfig);
 	oAuthStore.setAuthConfig(authConfig);
-	await assertUserNotAuthenticated();
+
+	if (!input?.options?.prompt) {
+		await assertUserNotAuthenticated();
+	}
 
 	let provider = 'COGNITO'; // Default
 
@@ -61,6 +64,7 @@ export async function signInWithRedirect(
 			loginHint: input?.options?.loginHint,
 			lang: input?.options?.lang,
 			nonce: input?.options?.nonce,
+			prompt: input?.options?.prompt,
 		},
 	});
 }
@@ -81,7 +85,7 @@ const oauthSignIn = async ({
 	options?: SignInWithRedirectInput['options'];
 }) => {
 	const { domain, redirectSignIn, responseType, scopes } = oauthConfig;
-	const { loginHint, lang, nonce } = options ?? {};
+	const { loginHint, lang, nonce, prompt } = options ?? {};
 	const randomState = generateState();
 
 	/* encodeURIComponent is not URL safe, use urlSafeEncode instead. Cognito
@@ -111,6 +115,7 @@ const oauthSignIn = async ({
 		...(loginHint && { login_hint: loginHint }),
 		...(lang && { lang }),
 		...(nonce && { nonce }),
+		...(prompt && { prompt: prompt.toLowerCase() }), // Cognito expects lowercase prompt values
 		state,
 		...(responseType === 'code' && {
 			code_challenge: toCodeChallenge(),

packages/auth/src/types/inputs.ts

@@ -54,6 +54,18 @@ export interface AuthSignOutInput {
 
 export type AuthProvider = 'Amazon' | 'Apple' | 'Facebook' | 'Google';
 
+/**
+ * OIDC prompt parameter that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+ *
+ * - `'NONE'` - No authentication or consent UI will be displayed
+ * - `'LOGIN'` - Force user to re-authenticate even if they have a valid session
+ * - `'CONSENT'` - Force user to consent to sharing information with the client
+ * - `'SELECT_ACCOUNT'` - Prompt user to select among multiple authenticated accounts
+ *
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+ */
+export type AuthPrompt = 'NONE' | 'LOGIN' | 'CONSENT' | 'SELECT_ACCOUNT';
+
 export interface AuthSignInWithRedirectInput {
 	provider?: AuthProvider | { custom: string };
 	customState?: string;
@@ -95,6 +107,12 @@ export interface AuthSignInWithRedirectInput {
 		 * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
 		 */
 		nonce?: string;
+
+		/**
+		 * An OIDC parameter that controls authentication behavior for existing sessions. It can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. Available in the managed login branding version only, not in the classic hosted UI.
+		 * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
+		 */
+		prompt?: AuthPrompt;
 	};
 }