By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Best Approach to use cognito with google federated IDP

0

I am trying to set up google auth with Cognito. I added a signup trigger to link the accounts but the linking throws a "user already exists error". My main goal is to be able to provide the option to users to login via google or username/email. or both. This is the approach I am using: https://bobbyhadz.com/blog/aws-cognito-link-user-accounts Some little code tweaks but the main flows are the same. Any ideas why I get the error. If I don't get that error, I can easily use this approach. If others have used different approaches, please share your thoughts and ideas.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito User Pools
Language
English
AWS-User-0550007
asked 2 years ago1179 views
1 Answer
2
Accepted Answer

Hi,

Account linking in Cognito has to be between an existing native user and a non-existent external identity. if the external identity already exists in the user pool, you have to delete that external identity first using AdminDeleteUser then use the AdminLinkProviderForUser API to link the native user to the external identity. In all cases, you will need to return an error from pre-signup trigger and re-try the sign-in from client side, since there is an existing session already for the user with the external provider the retry should seamlessly allow the external user to sign-in as the native user.

Please make sure you properly review your flows from security standpoint, if you generate temporary passwords for native users make sure you use strong random password that can't be guessed and ideally in account linking scenarios you should have an account verification step before linking, for example during pre-signup you detect that user already has a native account then use a custom workflow to send linking request to the email address and only when this link is clicked (which verifies that the owner of the email is the same person and approves linking) then you should link the accounts using AdminLinkProviderForUser. Alternatively, if you receive a flag from the external provider that email_verified is true then it could be safe to link the two identities together, don't link identities for which email is not verified.

AWS
EXPERT
Mahmoud Matouk
answered 2 years ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed a year ago
  • AWS-User-0550007
    2 years ago

    When a native user already exists and a user then register via google using same email, in that case I am linking the users in preSignup but even in this case , I get this error #error_description=Already+found+an+entry+for+username+google_100781687722207451594+&error=invalid_request

  • AWS-User-0550007
    2 years ago

    Now the flow works if I throw an error after linking the accounts but the error at the client-side is always the same but I want the error to be whatever I throw in presignup. Is there any way to structure the error so that client-side can get the exact error whatever i throw from presignup trigger.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content