Amplify-js: Sign Up via federated identity (against user pool instead of federated identity)

There is a downside in doing that. User Pool implements federated support in a way that is incompatible with mobile apps generated by Mobile Hub. A user that logs in via federation on the user pool won't match against the same federated user logging in via a Mobile Hub generated app. If you are browser-only then using the user pool for federation is fine. Note that the user pool federation implementation is pure OAuth so you can use it with other OAuth packages.

aws-amplify is currently handling federation in a manner compatible with mobile hub apps.

Plus -- it is way more expensive to track your federated users via user pool than it is to just stick their attributes into a dynamodb table.

This is dup of #45

Well I'd argue that this is more of an issue with Mobile Hub than anything else. I'm actually also using aws-amplify for mobile, but I stay away from Mobile Hub for its limitations.
Regardless if someone is using mobile hub or not though, wouldn't it be possible to offer federated sign up against user pool in addition and not as a substitution?

I recommend checking out the pricing for user pools before going too far. Federating users via Identity Pool is free. User pool is certainly easier to use, but that ease of use comes with a pretty large price tag.

I'm not sure the two services can be compared only by looking at the price tag. In most cases you'll anyways want to use both. If you can avoid using user pools and thus relying on third party identity providers that's great and probably all you need for a game or some simple app. On the other hand if you need to manage groups of users, assign users different properties and tags user pools is a viable option that I believe makes financial sense (maybe until 1 Mio monthly active users though).

Anyhow you are right that federating users is a viable option and for my current project I will actually move ahead with it. Even though I'd still like to see the user pool federation in aws-amplify :-)

Thank you for your feedback!

We use both too, we just don't want hordes of casual users ending up in the user pool.

What is missing is a way to promote an existing federated user out of the identity pool and into the user pool in order to give them special status. Currently you have to make a new login id.

we recently launched support for the Hosted UI in Amplify:
https://aws-amplify.github.io/amplify-js/media/authentication_guide.html#using-amazon-cognito-hosted-ui

which allows you to federated directly against Cognito User Pools. Please let us know if you have any feedback or further feature requests in regards to that.

So, if I understand this correctly, this library doesn't support federated authentication using User Pools? Is there a workaround or any third party library i can use to provide me with such functionality for federated sign in/up.

@MainaWycliffe as I know there is no way other than using Cognito Hosted UI for now.

@MainaWycliffe currently Amplify supports two routes for federation:

1. With Cognito Federated Identities, which will vend you AWS credentials. This is the default implementation out-of-the-box with using the Auth category. User Pools can also be an identity provider on this identity pool. So this is the recommended approach.

2. You can federate directly with Cognito User Pools using the Hosted UI mentioned above.

Currently there isn't a way to federate directly with User Pools outside of the Hosted UI, but this is in their roadmap. @yuntuowang do you have any feedback on this feature?

@mlabieniec and @powerful23 thanks for clarifying that. I just have one more question, if i use hosted UI does AWS Amplify still manage my security tokens - getting them from the hosted UI and refreshing them?. I am willing to use it and bind my time until that future is released.

@MainaWycliffe no problem! Yes, if you use the Hosted UI with Amplify. Amplify will manage the return of the OAuth request. If it's a code grant, Amplify will retrieve the refresh token and manage the refreshing of the session for you, for AWS credentials, as long as your User Pool is set as an IDP on your Identity Pool.

@mlabieniec @yuntuowang Can you give more detail about any support of federate login directly with user user pools please? what can we expect? I am also very interested in this topic.

The main problem about Hosted UI is the very poor way we can customize it. It is even not I18n compatible... I even don't talk about screen layout, labels...) So we need either to have more capability to customized it (not only I18n) either way to support federation from aws-amplify and application ui with user pool...

@OlivierPT did you find a work around for this?

Hi @agathao,

I actually found a solution in the Amplify documentation : https://aws-amplify.github.io/docs/js/authentication#launching-the-hosted-ui

If you take care, you will see that the URLs for facebook and google use the "authorize" endpoint. Using this, you user will be redirected to the facebook/google login page and then Cognito will add this user to the userpool. This way, you can use the (Amplify React for example) components or built your own with proper I18n, use federated signin/signup and get the user in the user pool.

Hope this will help ;)

Hi,
I had read in several threads that hosted UI is not an option for react native. Were you able to onboard? Or are you saying that the URL itself was the problem?

Hi @agathao,

Ok, I am using ReactJS, not React Native... I didn't catch you were using React Native. Indeed, I think this is not an option because there will be no possible callback url in your case

Guys, is there anyway of doing federation with user pool without Hosted UI using a combination of Amplify and Cognito SDK? I need to support multiple languages and Hosted UI seems not a valid choice for me.

For those using Social Login with AWS Cognito User Pools and don't want to use the hosted UI, i came across this work around here and my initial tests are promising, very promising.