enable-oauth-listener does not store a user session

[kalzoo]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

Other

Environment information

# Put output below this line

  System:
    OS: macOS 15.4.1
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.11.1 - /usr/local/bin/node
    Yarn: 1.22.19 - ~/.yarn/bin/yarn
    npm: 10.2.4 - /usr/local/bin/npm
    pnpm: 10.10.0 - /usr/local/bin/pnpm
    Watchman: 2025.04.14.00 - /opt/homebrew/bin/watchman
  npmPackages:
    @aws-amplify/auth: ^6.12.4 => 6.12.4 
    @aws-amplify/auth/cognito:  undefined ()
    @aws-amplify/auth/cognito/server:  undefined ()
    @aws-amplify/auth/enable-oauth-listener:  undefined ()
    @aws-amplify/auth/server:  undefined ()
    @aws-amplify/core: ^6.11.4 => 6.11.4 
    @aws-amplify/core/internals/adapter-core:  undefined ()
    @aws-amplify/core/internals/aws-client-utils:  undefined ()
    @aws-amplify/core/internals/aws-client-utils/composers:  undefined ()
    @aws-amplify/core/internals/aws-clients/cognitoIdentity:  undefined ()
    @aws-amplify/core/internals/aws-clients/pinpoint:  undefined ()
    @aws-amplify/core/internals/providers/pinpoint:  undefined ()
    @aws-amplify/core/internals/utils:  undefined ()
    @aws-amplify/core/server:  undefined ()
    @aws-amplify/ui-react: ^6.11.1 => 6.11.1 
    @aws-amplify/ui-react-internal:  undefined ()
    @aws-amplify/ui-react-server:  undefined ()
    @eslint/js: ^9.21.0 => 9.26.0 
    @tailwindcss/vite: ^4.1.6 => 4.1.6 
    @types/react: ^19.0.10 => 19.1.3 
    @types/react-dom: ^19.0.4 => 19.1.3 
    @vitejs/plugin-react: ^4.3.4 => 4.4.1 
    @vitejs/plugin-react-swc: ^3.8.0 => 3.9.0 
    autoprefixer: ^10.4.21 => 10.4.21 
    aws-amplify: ^6.14.4 => 6.14.4 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/adapter-core/internals:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/internals:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    eslint: ^9.21.0 => 9.26.0 
    eslint-plugin-react-hooks: ^5.1.0 => 5.2.0 
    eslint-plugin-react-refresh: ^0.4.19 => 0.4.20 
    formik: ^2.4.6 => 2.4.6 
    globals: ^15.15.0 => 15.15.0 (11.12.0, 14.0.0)
    react: ^19.0.0 => 19.1.0 
    react-dom: ^19.0.0 => 19.1.0 
    react-router-dom: ^7.6.0 => 7.6.0 
    tailwindcss: ^4.1.6 => 4.1.6 
    typescript: ~5.7.2 => 5.7.3 
    typescript-eslint: ^8.24.1 => 8.32.0 
    vite: ^6.2.0 => 6.3.5 
    vite-plugin-wasm-pack: ^0.1.12 => 0.1.12 
    zod: ^3.24.4 => 3.24.4 
    zod-formik-adapter: ^1.3.0 => 1.3.0 

Describe the bug

Background

• I am using the Cognito Hosted UI and attempting to integrate Amplify React with it

Authentication Failure

• signInWithRedirect() works as expected. Hosted UI works as expected.
• When the callback is called (URL like http://localhost:5173/auth/callback/cognito?code=54cb747...&state=NzaXyK7...), the network inspector does show a successful request to <cognito_domain>/oauth2/tokens that must be made by Amplify because it is not made by my app itself.
• However, the JWT contained within the response is not stored by Amplify and fetchUserSession continues to return an empty response (even when polled).

I suspect that this is a documentation gap rather than a bug, but without that documentation I cannot know for sure.

Docs issues/omissions

• There is no explicit documentation on integrating Amplify with Cognito's Hosted UI. I already have a number of SAML providers connected to the user pool, that user pool is working and I don't want to duplicate that information within Amplify, especially when Amplify is not working from the start. That approach is the only one documented by Amplify.
  • Searching for Hosted UI in the Amplify docs only turns up admonitions about particular behaviors not supported with the Hosted UI. fetchUserSession has no such note and I would expect session management to still work.
• I cannot find any public documentation on the expected behavior ofaws-amplify/auth/enable-oauth-listener. I only even know that it exists from github issues and gen AI suggestions. Google it to see what I mean.

Expected behavior

• Auth callback from Cognito Hosted UI (with code & state) should be handled and result in an active user session
• Hosted UI + Amplify integration should be directly and explicitly documented

Reproduction steps

1. Configure a Cognito User Pool with a hosted UI and 3rd-party SAML providers
2. Configure a React App with Amplify to use this pool
3. Call signInWithRedirect and successfully sign in
4. See that the callback is not properly handled by Amplify

Code Snippet

App root:

import { StrictMode } from 'react'
import { createRoot } from 'react-dom/client'
import './index.css'
import App from './App.tsx'
import "aws-amplify/auth/enable-oauth-listener";

createRoot(document.getElementById('root')!).render(
  <StrictMode>
    <App />
  </StrictMode>,
)

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

const amplifyConfig = {
  Auth: {
    Cognito: {
      userPoolId: 'us-west-2_..,
      userPoolClientId: '...',
      loginWith: {
        oauth: {
          domain: 'redacted.auth.us-west-2.amazoncognito.com',
          scopes: ['email', 'profile', 'openid'],
          redirectSignIn: ['http://localhost:5173/auth/callback/cognito'],
          redirectSignOut: ['http://localhost:5173/'],
          responseType: 'code' as const
        }
      }
    }
  }
};

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[kalzoo]

Resolved the problem, but this was a poor developer experience and the key issue here about the docs does remain.

I set up an auth listener to discover that there was an event firing on load of the callback page:

event: SignInWithRedirect_failed

AuthUserPoolException: Auth UserPool not configured.
    at http://localhost:5173/node_modules/.vite/deps/chunk-UFXKU7QO.js?v=b4e6b996:212:11
    at assertTokenProviderConfig (http://localhost:5173/node_modules/.vite/deps/chunk-UFXKU7QO.js?v=b4e6b996:422:3)
    at DefaultTokenStore.getLastAuthUserKey (http://localhost:5173/node_modules/.vite/deps/chunk-RQQIP2M2.js?v=b4e6b996:1076:5)
    at DefaultTokenStore.storeTokens (http://localhost:5173/node_modules/.vite/deps/chunk-RQQIP2M2.js?v=b4e6b996:1008:50)
    at TokenOrchestrator.setTokens (http://localhost:5173/node_modules/.vite/deps/chunk-RQQIP2M2.js?v=b4e6b996:1311:33)
    at cacheCognitoTokens (http://localhost:5173/node_modules/.vite/deps/chunk-RQQIP2M2.js?v=b4e6b996:1516:29)
    at handleCodeFlow (http://localhost:5173/node_modules/.vite/deps/chunk-RQQIP2M2.js?v=b4e6b996:1626:9)
    at async AmplifyClass.attemptCompleteOAuthFlow (http://localhost:5173/node_modules/.vite/deps/chunk-RQQIP2M2.js?v=b4e6b996:1748:5)

Hm, that's odd for two reasons:

1. the auth pool is clearly configured correctly because the network log shows the token request succeeding. Amplify.get_config() shows the expected output
2. nothing else in Amplify logs this or makes the problem obvious?

The fix to this error was really this simple:

// works
import { Amplify } from 'aws-amplify';

// does not work. fails with "Auth UserPool not configured"
// import { Amplify } from '@aws-amplify/core';

oof.

Team - please - this needs better documentation. The Hosted UI is a first class entity in Cognito. Integration should not rely on the "magic" of an undocumented enable-oauth-listener import.

It would be more healthy, discoverable, and debuggable to offer a React component which the developer can integrate with their router, rather than (again, "magic") import which modifies the app in unknown ways to intercept search params (and then silently fail if there's a misconfiguration...)

if it is documented and I couldn't find it in extensive searching, then that should be made more prominent. I'd suggest and request an explicit page in the Amplify documentation titled "Cognito Hosted UI" which makes all of the moving pieces and steps obvious.

[nadetastic]

Hi @kalzoo thank you for opening this issue. From the looks of it, it seems you were facing some issues with social/external idp sign in but were able to resolve the issue by importing Amplify from aws-amplify.

I do have a few more clarifications and questions for you.

1. Amplify should most definitely be imported from aws-amplify and the configuration done at the entry point of you application. If not, you may experience issues such as what you saw (Auth not configured)
2. The import for enable-oauth-listener is primarily meant for Multi page applications as documented here [2], and since it looks like you are using a Single Page Application (React) you shouldn't need this import.

It's good feedback that the import and usage of Amplify from '@aws-amplify/core' could have some warning, and will discuss it with the team.

Finally, using hosted ui that has already been setup with the SAML or IDP providers with Amplify JS library can be done in two steps [1][3]:

1. Add the Cognito user pool and identity pool into Amplify.configure({...}) (which you have done)
2. Call signInWithRedirect() or specify a provider to bypass the hosted ui

import { signInWithRedirect } from 'aws-amplify/auth';

signInWithRedirect({
	provider:'Amazon' // 'Amazon' | 'Apple' | 'Facebook' | 'Google' | { custom: string }
})

signInWithRedirect({
	provider:{
		custom: 'MyCustomSAMLProvider'
	}
})

If there's anything specific from the current documentation that is missing please let me know.

[1] Setup Frontend - https://docs.amplify.aws/react/build-a-backend/auth/concepts/external-identity-providers/#set-up-your-frontend
[2] Multi-Page applications requirement - https://docs.amplify.aws/react/build-a-backend/auth/concepts/external-identity-providers/#required-for-multi-page-applications-complete-external-sign-in-after-redirect
[3] Custom Providers - https://docs.amplify.aws/gen1/react/build-a-backend/auth/add-social-provider/#custom-providers

[nadetastic]

Hi @kalzoo Im going to go ahead and close out this issue, since there hasn't been an update in a while. Thanks!