Amplify-js: Delete linked user from User pool users.

Created on 11 Jun 2019  路  11Comments  路  Source: aws-amplify/amplify-js

Describe the bug
When I link user to existing identity via adminLinkProviderForUser, I get two users in "Users and groups" section in AWS console. It is ok, because second user is just link to original one.
But when I delete one of that I have just created, I can not reach remaining one. I get this instead:
Screenshot 2019-06-11 at 21 19 04

To Reproduce
Steps to reproduce the behavior:

  1. Create user in User pool.
  2. Link second user to first by adminLinkProviderForUser
var params = {
      DestinationUser: {
        ProviderAttributeName: 'Cognito',
        ProviderAttributeValue: "1111111111",
        ProviderName: "Facebook"
      },
      SourceUser: {
        ProviderAttributeName: 'Cognito_Subject',
        ProviderAttributeValue: "222222222",
        ProviderName: "Google"
      },
      UserPoolId: event.userPoolId,
    };
    try {
      await identity.adminLinkProviderForUser(params).promise();
    } catch (e) {
      console.log(e);
      return e;
    }
  1. Delete one of it in User pool in AWS console
  2. Try to access remaining (End)

Expected behavior
I should have ability to remove both.

Cognito Service Team feature-request
Source
picture lenarmazitov
👍2 👀1

All 11 comments

I stumbled into this too: I found I could delete the user via the Cognito API (or AWS CLI).

Whats odd is that even though linked users show the same sub in the Cognito console they are actually stored with different sub in the Cognito database. I presume that might be related to this issue.

codyfyi picture codyfyi on 14 Jun 2019
👀1 👍1

@lenarmazitov - Can you please clarify - do you know that the second user still exists, but just cannot be retrieved? Or does it appear that the linked user is deleted along with its related record?

haverchuck picture haverchuck on 14 Jun 2019

@haverchuck I could just suppose that user does not exists, but some link to second federated identity is still remains. And when I click on it in AWS console I can not reach original user, because it was deleted.

update I have just checked. User is still exists, and I can link new identity to it. So I suppose that when I remove user in AWS console with 2 or more identities linked to then all identities will be unlinked from it, but identities still present in database and we can see it in AWS console.

And my thoughts how this can be fixed

  • in AWS console add control "Unlink identity", if there is more than 1 identity linked
  • in AWS console control "Delete user" unlinks all identities and removes user (may be should add some confirm that there is more than 1 identity"
lenarmazitov picture lenarmazitov on 16 Jun 2019
👍1

Same here, but I can't even delete it with adminDeleteUser from JS SDK, throws a UserNotFoundException. In Cognito User Pool console the user appears though, it also appears with listUser filtered by its username.

I haven't found a way to remove that user, any thoughts?

gluix20 picture gluix20 on 11 Jul 2019

@lenarmazitov - Can you please clarify - do you know that the second user still exists, but just cannot be retrieved? Or does it appear that the linked user is deleted along with its related record?

Hi @haverchuck, in my case the user can be retrieved by list-users (both SDK and CLI) and is listed in the console as well. However I can't geit it with admin-get-user not admin-delete-user:

"An error occurred (UserNotFoundException) when calling the AdminDeleteUser operation: User does not exist."

And if I click the user in the console gives me this:
image

gluix20 picture gluix20 on 19 Jul 2019

I stumbled into this too: I found I could delete the user via the Cognito API (or AWS CLI).

Whats odd is that even though linked users show the same sub in the Cognito console they are actually stored with different sub in the Cognito database. I presume that might be related to this issue.

How did you delete the user via aws cli? When I try all I get is:

"An error occurred (UserNotFoundException) when calling the AdminDeleteUser operation: User does not exist."

adithep picture adithep on 14 Aug 2019

Has anyone had success with this? Still an issue, and now I've got unlinked orphaned accounts that I cannot access in the console or CLI, though the user shows in both the console Users and Groups page as well as in the data returned by listUsers().

campmdabt picture campmdabt on 17 Sep 2019

If you want to delete these unlinked external/provider accounts, do the following:

  • Recreate the original Cognito user account that they were linked to
  • Disable the provider for this user (i.e. via the AWS CLI command _admin-disable-provider-for-user_)
  • Both accounts can now be deleted successfully
MJRuskin picture MJRuskin on 1 Nov 2019
👍1

@codeitcody I'm currently running Admin Link Provider in the pre signup trigger
If I start with a native user in the pool and then I try to sign with Google of a user with the same email. Then inside my function, I try to find a matching email in the pool and if so, I link that account with the google one.

After successful linking, I end up with two users with different sub and additionally the UserPassUser now has an "identity" field that contains the Google user data.

How do I link then to get the same sub?

shiyaskk picture shiyaskk on 16 Mar 2020
👍1

@shiyaskk , I too encountered the same issue. when I pass SAML IDP user as a source user and Cognito native user as a destination user.

kiranbabu189 picture kiranbabu189 on 17 Mar 2020
👀1 👍1

Note that this can also happen if you make a mistake in the link command. When linking to existing User Pool users make sure to use the "sub", not the email, of the user as username:

aws cognito-idp admin-link-provider-for-user \
    --user-pool-id XXXX \
    --source-user ProviderName=Google,ProviderAttributeName="Cognito_Subject",ProviderAttributeValue="<googleIdIsSomeNumber>" \
    --destination-user ProviderName=Cognito,ProviderAttributeValue=<userSub>

(Note that this command links the Google user to the local user pool user, so that when the Google user would federate in, he/she would "assume" the account of the user pool user.)

@MJRuskin is right that to correct the "user not found" situation you just have to create the link in a valid way again. Either to a new user (just for the purpose of throwing away again later) or to an existing one. Use the user that is "not found" as source user then, and the new/existing user as destination user.

Another note: if you do the linking entirely right you would not see multiple user accounts for the same user in Cognito. You would just see one (although it can work with multiple so it is not a real problem). You can do the linking beforehand; when you just have the Cognito user pool user record showing, not the federated one yet. However, to do the linking then though you would need to know the user's ID from the federation provider, which for e.g. Google is impossible to predict (it is some number), but for SAML users it can be predicted (it is their common organization ID that you may know).

ottokruse picture ottokruse on 29 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ldgarcia picture ldgarcia  路  3Comments
epicfaace picture epicfaace  路  3Comments
cgarvis picture cgarvis  路  3Comments
cosmosof picture cosmosof  路  3Comments
rygo6 picture rygo6  路  3Comments