Hi,
I'm using a federated pool with a user pool and some social providers (Google, Facebook).
What should be the approach to link identities if they connect using different providers (the same email in all providers)?
Thanks!
You would have to call the 'admin link provider for user' from your backend to link them based on common attributes.
http://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-link-provider-for-user.html
Ok, I see. Thanks for the link
@dbeja @itrestian Any solid examples of adminLinkProviderForUser?
The documentation is on the difficult side to follow.
Is it possible to link an unconfirmed pooluser with a google or a fb account?
@prem911 The documentation is confusing however the answers are there. I find consulting the AWS REST API docs (what all the SDKs call) far more useful than the SDK docs.
I used these params to link a Facebook account to a email/password account in my user pool. Note you do this _before_ the Facebook account has been created (more on that below) otherwise you will receive a SourceUser with the specified attribute value is already linked to another user error.
const params = {
"DestinationUser": {
"ProviderAttributeValue": "<user id of the cognito user-password user>",
"ProviderName": "Cognito"
},
"SourceUser": {
"ProviderAttributeName": "Cognito_Subject",
"ProviderAttributeValue": "<id, sub, or user_id value found in the social identity provider token>",
"ProviderName": "Facebook"
},
"UserPoolId": "<poolid>
};
If I pass these params to a call to adminLinkProviderForUser I get an empty {} 200 response indicating the accounts are linked.
Following that I can sign in with my Facebook account and see that no new Facebook account is created in my pool (yay).
After I generate keys for the user that has just logged in and I decode the id_token I can see the token reflects my email / password user. This would indicate the linking was successful.
@itrestian This all looks good, however the linking relies on using a value in the id, sub, or user_id value found in the social identity provider token.
So how is the flow supposed to work? I can't get that info until someone goes through the oauth flow with a provider. How can I hook into that flow, get the id, sub, or user_id to perform the linking?
In order to do the social login I'm doing the GET amazoncognito.com/oauth2/authorize?identity_provider=Facebook&response_type=code then POST amazoncognito.com/oauth2/token approach.
I'm in the same boat as @saintberry
I'm currently running this in the presignup trigger
If I start with a single user in the pool that is a basic user:pass user and then I try to sigin with Google of a user with the same email. Then inside my function I try to find a matching email in the pool and if so, I link that account with the google one.
When no errors occur, I end up with two users (UserPassUser + GoogleUser) and additionally the UserPassUser now has an "identity" field that contains the Google user data.
Is there a way to prevent that extra user from being created? Is there a better place to put this code in the Cognito trigger/lifecycle flow?
@iDVB @saintberry did you figure out the flow? Did you find a more appropriate trigger that provides the id of the federated user account? Is there anything between PreSignUp_ExternalProvider and PostConfirmation_ConfirmSignUp?
Darn it, I think I found it: directly in the event object, there is userName field with this value:Facebook_10155611263153432. The second part is the same with the userId that we get in the PostConfirmation_ConfirmSignUp trigger. Which is nice. But, this never ending cognito saga kept the best for last: "Already found an entry for username Facebook_10155611263153432". I mean.. seriously? I completely clear up the user pool before trying.
Anyone else faced this?
(Just as a reference, I call adminLinkProviderForUser within the PreSignUp_ExternalProvider trigger)
Posted this here if anyone interested: https://stackoverflow.com/q/47815161/592641
Most helpful comment
@prem911 The documentation is confusing however the answers are there. I find consulting the AWS REST API docs (what all the SDKs call) far more useful than the SDK docs.
I used these params to link a Facebook account to a email/password account in my user pool. Note you do this _before_ the Facebook account has been created (more on that below) otherwise you will receive a
SourceUser with the specified attribute value is already linked to another usererror.If I pass these params to a call to adminLinkProviderForUser I get an empty
{}200response indicating the accounts are linked.Following that I can sign in with my Facebook account and see that no new Facebook account is created in my pool (yay).
After I generate keys for the user that has just logged in and I decode the
id_tokenI can see the token reflects my email / password user. This would indicate the linking was successful.@itrestian This all looks good, however the linking relies on using a value in the id, sub, or user_id value found in the social identity provider token.
So how is the flow supposed to work? I can't get that info until someone goes through the oauth flow with a provider. How can I hook into that flow, get the id, sub, or user_id to perform the linking?
In order to do the social login I'm doing the
GET amazoncognito.com/oauth2/authorize?identity_provider=Facebook&response_type=codethenPOST amazoncognito.com/oauth2/tokenapproach.