Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to support Cognito Email+Password and Sign In With Apple managed logins in the same user pool

0

Hello

My app is currently using a user pool with a custom domain. The user pool is configured to require email and name user attributes. I have an app client in the user pool that uses managed login to federate Cognito users into my identity pool. This app client requires new users to enter an email address, a name, and a password when they sign up. New users are not required to provide a username. This is exactly what I want. I have another app client that uses a managed login to federate Google users.

In attempting to add a third app client for sign in with apple, I've found that new users can be added successfully. But expired users, upon re-logging in generate an error:

Invalid+user+attributes%3A+name.formatted%3A+The+attribute+name.formatted+is+required+&state=K08yRF1jtV&error=invalid_request

I believe the error is generated because my user pool requires a name and apple doesn't provide a name after the first login. Will a user pool that does not require a name clear this error? If so, how would I then get the Cognito app client to prompt new users for a name? I am under the impression that the Cognito managed login page includes a prompt for name because its user pool requires a name. If I eliminate that requirement because of apple, will I be able to sign up new Cognito users in the way I want?

Thanks

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito User Pools
Language
English
asked a year ago377 views
2 Answers
0

To support both Cognito Email+Password and Sign In With Apple managed logins in the same user pool while addressing the issue you're experiencing, you can take the following approach:

  1. Remove the requirement for the "name" attribute in your user pool. This will resolve the error you're seeing with Apple Sign In for returning users.

  2. For your Cognito Email+Password app client, you can still collect the name during sign-up by customizing the sign-up form. Even though the name won't be a required attribute at the user pool level, you can configure your app client to request and collect this information.

  3. For the Sign In With Apple app client, you won't need to prompt for the name after the initial sign-in, as Apple provides this information only on the first authentication.

  4. To ensure you get the name for new Cognito users, you can use Lambda triggers to customize the sign-up process. Specifically, you can use the Pre Sign-up Lambda trigger to make the name a required field for your Cognito Email+Password flow, even though it's not required at the user pool level.

  5. For your existing Google federation, you should be able to map the name attribute from Google to your user pool without issues.

By implementing these changes, you'll be able to:

  • Support Sign In With Apple without errors for returning users
  • Continue to collect names for new Cognito Email+Password users
  • Maintain your existing Google federation

This approach allows you to have different requirements for different identity providers within the same user pool, giving you the flexibility to handle the varying behaviors of each provider while still collecting the information you need for your application.
Sources
User pool sign-in with third party identity providers - Amazon Cognito
Configuring identity providers for your user pool - Amazon Cognito
Amazon Cognito user pools - Amazon Cognito

answered a year ago
  • DUzzell
    a year ago

    The name requirement cannot be removed from the user pool. The user pool has to be rebuilt. I tried to add a prompt for name by customizing the login page, As far as I could tell, customization is limited to decorative elements like fonts and colors. I could not find a way to change the structure of the page and include a new field to be completed by the user.

0

I'm facing the same issue with Apple sign in. Instead of providing these vague responses from re:Post Agents it'd be nice to get actual feedback on this. For example there's no such thing as "Remove the requirement for the name attribute in your user pool", you cannot remove a required attribute once a pool is created, and this is a bottleneck for a lot of people out there. The only way this can be fixed is if we create a new user pool and migrate all users which is an enormous task, but of course AWS / Apple won't give a f about that.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content