Aws-sdk-ios: Why does AWSMobileClient.sharedInstance().getUserAttributes fail for social providers?

Hi @Foefirelord ,

We currently do no support getUserAttributes() when using the HostedUI to sign-in. We will take this as a feature request to the team.

Is there some other way to retrieve a user's e-mail address when they're signed in via a social provider?

My issue isn't so much the getUserAttributes() method specifically so much as that I can't find a way to get a user's e-mail in all authentication cases my app supports (e-mail, Facebook, Google).

@Foefirelord Have you configured the identity provider attributes to the user pools attribute? If not, can you specify identity provider attribute mapping for your user pool as stated in the following doc :
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-attribute-mapping.html
Once the attribute mapping is set you should be able to call getUserAttributes() to get user email.

@desokroshan Yes, I have attribute mapping setup, including e-mail mapping.

Both Google and Facebook "email" attributes are being mapped to the user pool "Email" attribute.

Yet the method fails for users logged in via social providers with the aforementioned error.

Any updates on this? It's making the use of social sign-in providers with User Pools useless in many ways.

Per the doc https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html the access token can be used against Amazon Cognito User Pools if aws.cognito.signin.user.admin scope is requested. aws.cognito.signin.user.admin scope is needed so that access token works with User pool API getUserAttributes. Can you try to add it as below :

"Auth": {
      "Default": {
          "OAuth": {
              "Scopes": ["openid", "email", "aws.cognito.signin.user.admin "]
          }
      }
  }

I tried debugging it with AWS support a couple weeks back, and they had me enable literally all scopes. Still doesn't work.

This is still a critical problem, as it prevents the retrieval of the user's e-mail address in-app.

Is there any news on a potential fix?

I've checked the User Pool, and I can see the e-mail address under the "email" field for social accounts in the AWS control panel, so the e-mail address is there, but the SDK fails to retrieve user attributes altogether for users authenticated via external providers.

Hello, FWIW I thought I was having the exact same problem as @Foefirelord , and I definitely need those attributes in app to complete my user onboarding flow. I knew everything else was working since I saw those attributes pulled in fine and mapped great on the AWS Cognito dash, but I kept getting 'notAuthorized' when trying to getAttributes for the user.

Turns out, the culprit was when I copy/pasted the launch hosted UI code from the documentation (https://aws-amplify.github.io/docs/ios/authentication#launching-the-hosted-ui) which only had scopes: ["openid", "email"].

Once I added all the other scopes that were listed in my aws json config and re-signed in, the getAttributes call worked great.

let hostedUIOptions = HostedUIOptions(scopes: ["phone","email","openid","profile","aws.cognito.signin.user.admin"], identityProvider: "Facebook")

Hope this helps!

~G

Actually, you can go even simpler, if you just leave off the 'scopes' param entirely it appears to use the aws configuration json file, which I think is probably the intended usage...

let hostedUIOptions = HostedUIOptions( identityProvider: "Google")

~G

@garrettfritz Thanks for the suggestion.

@Foefirelord can you verify whether that suggestion works for you? Based on your earlier message ("...they had me enable literally all scopes. Still doesn't work.") I'm guessing it didn't. Can you share the code snippet you use to present the HostedUI to users?

Thanks to @garrettfritz for the insight.

It never occurred to me that the initializer for HostedUIOptions would override the config file in an SDK that was crafted specifically to reduce the amount of confusion being caused by the way services were configured in the older SDK (as in, without a single-file config for all services).

Once I removed the scopes argument from the HostedUIOptions initializer, AWSMobileClient.sharedInstance().getUserAttributes() began working as intended for social sign-in providers.

Also, the reply by @minbi only added to the confusion, since the method is clearly supported by HostedUI-based sign-in flows, at least when using the HostedUIOptions object to bypass the AWS hosted UI for social sign-in.

Thanks for the followup. I've seen examples of runtime configurations overriding compile/file-provided configurations in the past, but we'll do a better job calling that out in the API documentation to ensure we don't create additional confusion.