- Newest
- Most votes
- Most comments
Hello there,
I understand that you would like to know how to add federated login using an external OpenID Connect Identity Provider to an userpool with certain required attributes in the userpool when external OIDC provider does not have these fields.
To answer each of your queries
1→ Is there any way we can use the OIDC flow with missing attributes?
Ans) When a federated user signs in to your application, a mapping must be present for each user pool attribute that your user pool requires. The same is mentioned in the documentation. In that aspect, natively there is no feature with Cognito that allows SignUp with missing required attributes. Failing to populate the required attributes in the federated sign-in call will lead to a fail/error.
However, if your OIDC IdP does not pass the required attributes, as a workaround you can try the below setup.
- Set up a pre-Sign up lambda trigger for your user pool, check if the attributes are missing and/or compare them, and set them as necessary with the Cognito SDK
- Map a different attribute from your OIDC IdP to these required attributes in your user pool and use option 1 to validate
- Migrate to a new user pool, as you would not be able to update the required attributes in an already created userpool.
2→ Is there any way we can make the required attributes as optional in the User Pool?
Ans) As of now, it is not an available feature to modify required attributes in a Cognito userpool once the userpool is created. The documentation also quotes "When you mark a standard attribute as Required, a user can't register unless they provide a value for the attribute. To create users and not give values for required attributes, administrators can use the AdminCreateUser API. After you create a user pool, you can't switch an attribute between required and not required.".
References
2: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
