From 118410088d115f7390ce4f3eea2787db8cc8a7ee Mon Sep 17 00:00:00 2001
From: Jon Armen <jarmen@bstglobal.com>
Date: Mon, 9 Jun 2025 11:01:15 -0400
Subject: [PATCH] Added support for idp_identifier query parameter in cognito
 authorizer endpoint

---
 .../auth/src/providers/cognito/apis/signInWithRedirect.ts | 8 +++++++-
 packages/auth/src/types/inputs.ts                         | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
index bac92589dc8..103a7cd969a 100644
--- a/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
+++ b/packages/auth/src/providers/cognito/apis/signInWithRedirect.ts
@@ -44,17 +44,20 @@ export async function signInWithRedirect(
 	await assertUserNotAuthenticated();
 
 	let provider = 'COGNITO'; // Default
+	let isProviderIdpIdentifier: boolean = false;
 
 	if (typeof input?.provider === 'string') {
 		provider = cognitoHostedUIIdentityProviderMap[input.provider];
 	} else if (input?.provider?.custom) {
 		provider = input.provider.custom;
+		isProviderIdpIdentifier = !!input.provider.isIdpIdentifier;
 	}
 
 	return oauthSignIn({
 		oauthConfig: authConfig.loginWith.oauth,
 		clientId: authConfig.userPoolClientId,
 		provider,
+		isProviderIdpIdentifier,
 		customState: input?.customState,
 		preferPrivateSession: input?.options?.preferPrivateSession,
 		options: {
@@ -68,6 +71,7 @@ export async function signInWithRedirect(
 const oauthSignIn = async ({
 	oauthConfig,
 	provider,
+	isProviderIdpIdentifier,
 	clientId,
 	customState,
 	preferPrivateSession,
@@ -75,6 +79,7 @@ const oauthSignIn = async ({
 }: {
 	oauthConfig: OAuthConfig;
 	provider: string;
+	isProviderIdpIdentifier: boolean;
 	clientId: string;
 	customState?: string;
 	preferPrivateSession?: boolean;
@@ -105,7 +110,8 @@ const oauthSignIn = async ({
 		redirect_uri: redirectUri,
 		response_type: responseType,
 		client_id: clientId,
-		identity_provider: provider,
+		...(!isProviderIdpIdentifier && { identity_provider: provider }),
+		...(isProviderIdpIdentifier && { idp_identifier: provider }),
 		scope: scopes.join(' '),
 		// eslint-disable-next-line camelcase
 		...(loginHint && { login_hint: loginHint }),
diff --git a/packages/auth/src/types/inputs.ts b/packages/auth/src/types/inputs.ts
index 81ea27e6b88..b8f26f220d1 100644
--- a/packages/auth/src/types/inputs.ts
+++ b/packages/auth/src/types/inputs.ts
@@ -55,7 +55,7 @@ export interface AuthSignOutInput {
 export type AuthProvider = 'Amazon' | 'Apple' | 'Facebook' | 'Google';
 
 export interface AuthSignInWithRedirectInput {
-	provider?: AuthProvider | { custom: string };
+	provider?: AuthProvider | { custom: string; isIdpIdentifier?: boolean };
 	customState?: string;
 	options?: {
 		/**