How to support Cognito Email+Password and Sign In With Apple managed logins in the same user pool

Question

Hello

My app is currently using a user pool with a custom domain. The user pool is configured to require email and name user attributes. I have an app client in the user pool that uses managed login to federate Cognito users into my identity pool. This app client requires new users to enter an email address, a name, and a password when they sign up. New users are not required to provide a username. This is exactly what I want. I have another app client that uses a managed login to federate Google users.

In attempting to add a third app client for sign in with apple, I've found that new users can be added successfully. But expired users, upon re-logging in generate an error:

```
Invalid+user+attributes%3A+name.formatted%3A+The+attribute+name.formatted+is+required+&state=K08yRF1jtV&error=invalid_request
```

I believe the error is generated because my user pool requires a name and apple doesn't provide a name after the first login. Will a user pool that does not require a name clear this error? If so, how would I then get the Cognito app client to prompt new users for a name? I am under the impression that the Cognito managed login page includes a prompt for name because its user pool requires a name. If I eliminate that requirement because of apple, will I be able to sign up new Cognito users in the way I want?

Thanks

re:Post Agent · Answer

To support both Cognito Email+Password and Sign In With Apple managed logins in the same user pool while addressing the issue you're experiencing, you can take the following approach:

1. Remove the requirement for the "name" attribute in your user pool. This will resolve the error you're seeing with Apple Sign In for returning users.

2. For your Cognito Email+Password app client, you can still collect the name during sign-up by customizing the sign-up form. Even though the name won't be a required attribute at the user pool level, you can configure your app client to request and collect this information.

3. For the Sign In With Apple app client, you won't need to prompt for the name after the initial sign-in, as Apple provides this information only on the first authentication.

4. To ensure you get the name for new Cognito users, you can use Lambda triggers to customize the sign-up process. Specifically, you can use the Pre Sign-up Lambda trigger to make the name a required field for your Cognito Email+Password flow, even though it's not required at the user pool level.

5. For your existing Google federation, you should be able to map the name attribute from Google to your user pool without issues.

By implementing these changes, you'll be able to:
- Support Sign In With Apple without errors for returning users
- Continue to collect names for new Cognito Email+Password users
- Maintain your existing Google federation

This approach allows you to have different requirements for different identity providers within the same user pool, giving you the flexibility to handle the varying behaviors of each provider while still collecting the information you need for your application.  
**Sources**  
[User pool sign-in with third party identity providers - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html)  
[Configuring identity providers for your user pool - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-provider.html)  
[Amazon Cognito user pools - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html)

How to support Cognito Email+Password and Sign In With Apple managed logins in the same user pool

Relevant content