Page updated Nov 8, 2023

Enable sign-in with web UI


When configuring Social sign-in through the Amplify CLI, it's important to exercise caution when designating attributes as "required." Different social identity providers have varied scopes in terms of the information they respond back to Cognito with. User pool attributes that are initially set up as "required" cannot be changed later, and may require you to migrate the users or create a new user pool.

Configure Auth Category

This library's Cognito plugin currently supports the Authorization Code Grant OAuth Flow.

In terminal, navigate to your project, run amplify add auth (or if you've already added it, run amplify update auth), and choose the following options:

1? Do you want to use the default authentication and security configuration?
2 `Default configuration with Social Provider (Federation)`
3? How do you want users to be able to sign in?
4 `Username`
5? Do you want to configure advanced settings?
6 `No, I am done.`
7? What domain name prefix you want us to create for you?
8 `(default)`
9? Enter your redirect signin URI:
10 `myapp://`
11? Do you want to add another redirect signin URI
12 `Yes`
13? Enter your redirect signin URI:
14 `http://localhost:3000/`
15? Do you want to add another redirect signin URI
16 `No`
17? Enter your redirect signout URI:
18 `myapp://`
19? Do you want to add another redirect signout URI
20 `No`
21? Enter your redirect signout URI:
22 `http://localhost:3000/`
23? Do you want to add another redirect signout URI
24 `No`
25? Select the social providers you want to configure for your user pool:
26 `<hit enter>`

Note that when the CLI asks for the redirect URIs that you want to use, you may need to enter multiple:

How It Works

Sign-in with web UI will display the sign-in UI inside a webview. After the sign-in process is complete, the sign-in UI will redirect back to your app.

Platform Setup


To use Hosted UI in your Flutter web application locally, you must run the app with the --web-port=3000 argument (with the value being whichever port you assigned to localhost host when configuring your redirect URIs).


Add the following queries element to the AndroidManifest.xml file in your app's android/app/src/main directory, as well as the following intent-filter to the MainActivity in the same file.

Replace myapp with your redirect URI scheme as necessary:

2 <intent>
3 <action android:name=
4 "" />
5 </intent>
8 ...
9 <activity
10 android:name=".MainActivity" android:exported="true">
11 <intent-filter>
12 <action android:name="android.intent.action.VIEW" />
13 <category android:name="android.intent.category.DEFAULT" />
14 <category android:name="android.intent.category.BROWSABLE" />
15 <data android:scheme="myapp" />
16 </intent-filter>
17 </activity>
18 ...


Open XCode and enable the App Sandbox capability and then select "Incoming Connections (Server)" under "Network".

Incoming Connections setting selected in the App Sandbox section of the runner signing and capabilities tab.

iOS, Windows and Linux

No specific platform configuration is required.

Launch Web UI Sign In

Sweet! You're now ready to launch sign in with web UI.

1Future<void> signInWithWebUI() async {
2 try {
3 final result = await Amplify.Auth.signInWithWebUI();
4 safePrint('Sign in result: $result');
5 } on AuthException catch (e) {
6 safePrint('Error signing in: ${e.message}');
7 }

You can also specify a provider with the provider attribute:

1Future<void> signInWithWebUIProvider() async {
2 try {
3 final result = await Amplify.Auth.signInWithWebUI(
4 provider:,
5 );
6 safePrint('Result: $result');
7 } on AuthException catch (e) {
8 safePrint('Error signing in: ${e.message}');
9 }

Amplify Flutter currently supports the following social sign-in providers:

  • Google
  • Facebook
  • Login With Amazon
  • Apple

Prefer private session during signIn on iOS.

Amplify.Auth.signInWithWebUI uses ASWebAuthenticationSession internally for iOS. ASWebAuthenticationSession has a property, prefersEphemeralWebBrowserSession which can be used to indicate whether the session should ask the browser for a private authentication session. To set this flag to true, set preferPrivateSession to true using CognitoSignInWithWebUIPluginOptions.

This will bypass the permissions dialog that is displayed to the end user during sign in and sign out. However, it will also prevent reuse of existing sessions from the user's browser. For example, if the user is logged into Google in their browser and try to sign in using Google in your app, they would now need to re-enter their credentials.

1Future<void> signInWithWebUIAndPrivateSession() async {
2 await Amplify.Auth.signInWithWebUI(
3 options: const SignInWithWebUIOptions(
4 pluginOptions: CognitoSignInWithWebUIPluginOptions(
5 isPreferPrivateSession: true,
6 ),
7 ),
8 );