From ac981ecbe8326baff9eea8c1b7faf464a0cee1bc Mon Sep 17 00:00:00 2001
From: Dan Kiuna <dkkiuna@amazon.com>
Date: Thu, 29 May 2025 20:49:17 -0500
Subject: [PATCH 1/4] add a boolean to input options when calling
 signInWithRedirect; forces the account selector screen in idp

---
 .../auth/src/providers/cognito/apis/signInWithRedirect.ts   | 4 ++++
 packages/auth/src/types/inputs.ts                           | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
index bac92589dc8..ad72a539edd 100644
--- a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
+++ b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
@@ -55,6 +55,7 @@ export async function signInWithRedirect(
 		oauthConfig: authConfig.loginWith.oauth,
 		clientId: authConfig.userPoolClientId,
 		provider,
+		requireSignIn: input?.options?.requireSignIn,
 		customState: input?.customState,
 		preferPrivateSession: input?.options?.preferPrivateSession,
 		options: {
@@ -69,6 +70,7 @@ const oauthSignIn = async ({
 	oauthConfig,
 	provider,
 	clientId,
+	requireSignIn,
 	customState,
 	preferPrivateSession,
 	options,
@@ -76,6 +78,7 @@ const oauthSignIn = async ({
 	oauthConfig: OAuthConfig;
 	provider: string;
 	clientId: string;
+	requireSignIn?: boolean;
 	customState?: string;
 	preferPrivateSession?: boolean;
 	options?: SignInWithRedirectInput['options'];
@@ -102,6 +105,7 @@ const oauthSignIn = async ({
 	oAuthStore.storePKCE(value);
 
 	const queryString = Object.entries({
+		prompt: requireSignIn ? 'login': 'none',
 		redirect_uri: redirectUri,
 		response_type: responseType,
 		client_id: clientId,
diff --git a/packages/auth/src/types/inputs.ts b/packages/auth/src/types/inputs.ts
index 81ea27e6b88..04076346e41 100644
--- a/packages/auth/src/types/inputs.ts
+++ b/packages/auth/src/types/inputs.ts
@@ -95,6 +95,12 @@ export interface AuthSignInWithRedirectInput {
 		 * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
 		 */
 		nonce?: string;
+
+		/**
+		 * A flag to use if you want to force the user to sign in again or view the account selector screen.
+		 * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
+		 */
+		requireSignIn?: boolean;
 	};
 }
 

From 4f706385b2d4d2f5b1fd9ee5142aa8b17ea2e013 Mon Sep 17 00:00:00 2001
From: Dan Kiuna <dkkiuna@amazon.com>
Date: Fri, 30 May 2025 15:04:07 -0500
Subject: [PATCH 2/4] lint fixes

---
 packages/auth/src/providers/cognito/apis/signInWithRedirect.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
index ad72a539edd..0e666e24926 100644
--- a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
+++ b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
@@ -105,7 +105,7 @@ const oauthSignIn = async ({
 	oAuthStore.storePKCE(value);
 
 	const queryString = Object.entries({
-		prompt: requireSignIn ? 'login': 'none',
+		prompt: requireSignIn ? 'login' : 'none',
 		redirect_uri: redirectUri,
 		response_type: responseType,
 		client_id: clientId,

From 4748b4155788af94e1abaf774a6c48fa0c739a12 Mon Sep 17 00:00:00 2001
From: Dan Kiuna <dkkiuna@amazon.com>
Date: Sat, 31 May 2025 13:29:15 -0500
Subject: [PATCH 3/4] add unit test to check for requireSignIn

---
 .../cognito/signInWithRedirect.test.ts        | 20 +++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts b/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts
index 0714c091278..05d800f7506 100644
--- a/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts
+++ b/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts
@@ -157,7 +157,7 @@ describe('signInWithRedirect', () => {
 		const [oauthUrl, redirectSignIn, preferPrivateSession] =
 			mockOpenAuthSession.mock.calls[0];
 		expect(oauthUrl).toStrictEqual(
-			'https://oauth.domain.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=Google&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256',
+			'https://oauth.domain.com/oauth2/authorize?prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=Google&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256',
 		);
 		expect(redirectSignIn).toEqual(
 			mockAuthConfigWithOAuth.Auth.Cognito.loginWith.oauth.redirectSignIn,
@@ -170,7 +170,7 @@ describe('signInWithRedirect', () => {
 		await signInWithRedirect();
 		const [oauthUrl] = mockOpenAuthSession.mock.calls[0];
 		expect(oauthUrl).toStrictEqual(
-			`https://oauth.domain.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedDefaultProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
+			`https://oauth.domain.com/oauth2/authorize?prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedDefaultProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
 		);
 	});
 
@@ -179,7 +179,7 @@ describe('signInWithRedirect', () => {
 		await signInWithRedirect({ provider: { custom: expectedCustomProvider } });
 		const [oauthUrl] = mockOpenAuthSession.mock.calls[0];
 		expect(oauthUrl).toStrictEqual(
-			`https://oauth.domain.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedCustomProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
+			`https://oauth.domain.com/oauth2/authorize?prompt=none&rredirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedCustomProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
 		);
 	});
 
@@ -189,6 +189,18 @@ describe('signInWithRedirect', () => {
 		expect(mockUrlSafeEncode).toHaveBeenCalledWith(expectedCustomState);
 	});
 
+	it('uses "login" as the prompt query param value to when require sign in is true', async () => {
+		const expectedCustomProvider = 'PieAuth';
+		await signInWithRedirect({
+			provider: { custom: expectedCustomProvider },
+			options: { requireSignIn: true },
+		});
+		const [oauthUrl] = mockOpenAuthSession.mock.calls[0];
+		expect(oauthUrl).toStrictEqual(
+			`https://oauth.domain.com/oauth2/authorize?prompt=login&rredirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedCustomProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
+		);
+	});
+
 	describe('specifications on Web', () => {
 		describe('side effect', () => {
 			it('attaches oauth listener to the Amplify singleton', async () => {
@@ -324,7 +336,7 @@ describe('signInWithRedirect', () => {
 				mockOpenAuthSession.mock.calls[0];
 
 			expect(oauthUrl).toStrictEqual(
-				'https://oauth.domain.com/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=Google&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&login_hint=someone%40gmail.com&lang=en&nonce=88388838883&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256',
+				'https://oauth.domain.com/oauth2/authorize?prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=Google&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&login_hint=someone%40gmail.com&lang=en&nonce=88388838883&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256',
 			);
 			expect(redirectSignIn).toEqual(
 				mockAuthConfigWithOAuth.Auth.Cognito.loginWith.oauth.redirectSignIn,

From f9a6de7d390d9e412f29c96378fe53169a950fb1 Mon Sep 17 00:00:00 2001
From: Dan Kiuna <dkkiuna@amazon.com>
Date: Sat, 31 May 2025 13:30:57 -0500
Subject: [PATCH 4/4] fix typo

---
 .../__tests__/providers/cognito/signInWithRedirect.test.ts    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts b/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts
index 05d800f7506..fcbd01de66a 100644
--- a/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts
+++ b/packages/auth/__tests__/providers/cognito/signInWithRedirect.test.ts
@@ -179,7 +179,7 @@ describe('signInWithRedirect', () => {
 		await signInWithRedirect({ provider: { custom: expectedCustomProvider } });
 		const [oauthUrl] = mockOpenAuthSession.mock.calls[0];
 		expect(oauthUrl).toStrictEqual(
-			`https://oauth.domain.com/oauth2/authorize?prompt=none&rredirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedCustomProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
+			`https://oauth.domain.com/oauth2/authorize?prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedCustomProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
 		);
 	});
 
@@ -197,7 +197,7 @@ describe('signInWithRedirect', () => {
 		});
 		const [oauthUrl] = mockOpenAuthSession.mock.calls[0];
 		expect(oauthUrl).toStrictEqual(
-			`https://oauth.domain.com/oauth2/authorize?prompt=login&rredirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedCustomProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
+			`https://oauth.domain.com/oauth2/authorize?prompt=login&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code&client_id=userPoolClientId&identity_provider=${expectedCustomProvider}&scope=phone%20email%20openid%20profile%20aws.cognito.signin.user.admin&state=oauth_state&code_challenge=code_challenge&code_challenge_method=S256`,
 		);
 	});