(gen2-migration): `generate` has bugs in the fields of oidc as an Additional Auth Config mode

[dgandhi62]

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

na

What operating system are you using?

na

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

na

Describe the bug

When migrating an Amplify Gen 1 GraphQL API with OIDC (OpenID Connect) as an additional authorization provider to Gen 2, the clientId field from the Gen 1 OIDC configuration has no corresponding property in the Gen 2 oidcAuthorizationMode type definition. There is also a bug in the ttl fields. This creates a feature parity gap between Gen 1 and Gen 2 for OIDC auth configuration.

Gen 1 Configuration

In Gen 1, the OIDC configuration in cli-inputs.json includes a openIDClientID field:

{
  "additionalAuthTypes": [
    {
      "mode": "OPENID_CONNECT",
      "openIDProviderName": "Google",
      "openIDIssuerURL": "https://accounts.google.com/",
      "openIDClientID": "<client-id>",
      "openIDAuthTTL": "3600000",
      "openIDIatTTL": "3600000"
    }
  ]
}

This openIDClientID maps to the AppSync clientId in the OpenIDConnectConfig, which is used to validate the aud (audience) claim in the JWT token.

Gen 2 Configuration

In Gen 2, the oidcAuthorizationMode in defineData() does not surface a clientId property. It also creates a 1:1 mapping between seconds and miliseconds, instead of dividing by 10.

authorizationModes: {
  oidcAuthorizationMode: {
    oidcProviderName: 'Google',
    oidcIssuerUrl: 'https://accounts.google.com/',
    // No clientId property available
    tokenExpiryFromAuthInSeconds: 36000,
    tokenExpireFromIssueInSeconds: 36000,
  },
},

Impact

• Security: Without clientId, AppSync cannot validate the aud claim in OIDC tokens. This means tokens issued by the same OIDC provider for a different application could be accepted, which is a security concern in production.
• Migration parity: Users migrating from Gen 1 to Gen 2 lose the ability to configure this field, resulting in a less secure setup than what Gen 1 supported.
• AppSync support: The underlying AppSync OpenIDConnectConfig does support clientId as an optional field, so this is a gap in the Gen 2 abstraction layer, not an AppSync limitation.

Expected Behavior

The oidcAuthorizationMode type in Gen 2 should expose an optional clientId property:

oidcAuthorizationMode: {
  oidcProviderName: 'Google',
  oidcIssuerUrl: 'https://accounts.google.com/',
  clientId: 'my-app.apps.googleusercontent.com', // optional
  tokenExpiryFromAuthInSeconds: 3600,
  tokenExpireFromIssueInSeconds: 3600,
},

Steps to Reproduce

1. Create a Gen 1 Amplify app with a GraphQL API
2. Add OIDC as an additional auth type with a clientId configured
3. Migrate to Gen 2 using the migration guide
4. Observe that there is no way to set clientId in the Gen 2 oidcAuthorizationMode

Environment

• @aws-amplify/backend: ^1.18.0
• @aws-amplify/backend-data: ^1.6.2
• aws-cdk-lib: ^2

Expected behavior

NA

Reproduction steps

NA

Project Identifier

No response

Log output

Details

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.