Amplify Auth not handling authorization code from Entra redirect (manual token exchange required)

"The short answer is: Amplify is designed for SP-initiated flows, meaning the process must start within your app via signInWithRedirect(). Amplify won't automatically 'pick up' a code it didn't request itself due to OAuth2 security standards (PKCE)."

When you arrive at your app with a code already in the URL (likely an IdP-initiated flow from Entra), Amplify’s internal OAuth handler ignores it because it lacks the corresponding 'state' and 'PKCE verifier' that it would have created if it had started the request itself.

Is there a built-in method?

Not specifically for a 'pre-existing' code. However, you have two options to avoid manual Axios calls:

1. The 'Amplify Way' (Recommended): Don't redirect from Entra with a code directly. Instead, redirect the user to your app's login page and call signInWithRedirect({ provider: 'IdentityServer' }) (your Entra provider name). This ensures Amplify manages the PKCE flow and token exchange automatically.

2. The Custom Hub Listener: If you must handle an external code, you are already doing the 'correct' workaround by exchanging it manually. Amplify's Auth category doesn't have a handleCode(code) method because it needs to validate the session state for security.

see also:

• https://docs.amplify.aws/gen1/javascript/build-a-backend/auth/add-social-provider/
• https://github.com/aws-amplify/amplify-js/pull/2712