By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

On iOS, app users are confused by a warning about `amazoncognito.com` when choosing `Sign-in w/ Google`.

0

For my Unity app named Mogaland, users are served with the following message when they decide to sign-in w/ Google on iOS:

  • "Mogaland" Wants to Use "amazoncognito.com" to Sign In. This allows the app aand website to share information about you. Cancel / Continue.

The URL used to reach out the AWS Cognito endpoint is build like documented here: https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html.

Question: is there a way to have the message rephrased from amazoncongito.com to google.com? That would be less confusing for the users who chose to sign-in w/ Google and have a message about a destination they don't know about...

Thanks, Dom

Note that the mechanism is used to sign-in w/ Apple and no popup appears! I don't understand how Apple can produce a popup for the final IDP being Google and not Apple, when it seems the URL is only about AWS Cognito...

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito Federated IdentitiesSecurity, Identity, & ComplianceAmazon Cognito
Language
English
Dom_D
asked 3 months ago184 views
2 Answers
0
Accepted Answer

Answering my own question:

  • Apple displays the message with a domain extracted from the URL used to reach Cognito. There's no way to interfere with the process.
  • However, we can add a custom domain to the Cognito user pool so the URL exposes our own domain. With that update, I can have a message like:

"Mogaland" Wants to Use "mogaland.io" to Sign In. This allows the app aand website to share information about you. Cancel / Continue.

  • As Apple cuts the URLs to expose a limited part of it, having different domains like auth.cert.mogaland.io and auth.prod.mogaland.io has no impact on the final user experience.

For CDK users, it's just a matter of calling addDomain():

    // Create user pool
    const userPool = new UserPool(this, ..., ...);

    // Set a custom domain for the authorization path
    const certificate = Certificate.fromCertificateArn(this, 'domainCert', props.acmCertificateARN);
    const domainName = `auth.${props.stageName}.mogaland.io`;
    userPool.addDomain('Custom Domain', {
        customDomain: {
            domainName,
            certificate,
        }
    });
Dom_D
answered 3 months ago
0

This consent message is created by iOS, therefore you might get better support in an iOS developer forum. Nevertheless, some hints which might help you resolving the issue. The message is potentially created by SFAuthenticationSession, which requests consent by design ("If an application uses SFAuthenticationSession, users are prompted by a dialog to give explicit consent, allowing the application to access the website’s data in Safari."). You might be able to remove the message by switching to ASWebAuthenticationSession instead. This one is the successor of SFAuthenticationSession, which is now deprecated.

profile pictureAWS
Michael
answered 3 months ago
  • Dom_D
    3 months ago

    Thanks Michael.

    I already use ASWebAuthenticationSession to trigger the request to AWS Cognito that will redirect users to the Google sign-in page. The message in popup is based on the URL passed to ASWebAuthenticationSession.

    I'm going to look at setting a custom domain, so people will see mogaland.io in place of amazoncongito.com just before ending up on the Google Sign-In page,

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content