Due to an issue with the PreSignUp trigger and AdminLinkProviderForUser command, I am following the workaround described by an AWS support engineer in the linked re:Post forum to implement single sign-on for my application that uses Amazon Cognito.
https://repost.aws/questions/QULY1qbV21TYqrnVnNdpdpqQ/remove-external-identity-from-cognito-user
The TL:DR of the workaround above is that the AdminLinkProviderForUser command is used in the PostConfirmation trigger. However to do this, we first have to delete the automatically created external IdP user to prevent the command from throwing an error.
Depending on which OAuth flow that I choose for single sign-on, such as the authorization code, or the implicit grant, I get an 'invalid code' or 'user not found' error instead of receiving the JWT tokens that I need for my application when applying this workaround. I suspect that the error is because I delete the user that the authorization token or the implicit grant is supposed to be for, but then how did the AWS support engineer successfully retrieve JWT tokens back?
Has this been an issue with anyone else? I'm fairly certain I implemented everything in the same manner (except that it is written in JavaScript), but I just simply cannot get it to work.
P.S. Any updates on fixing the SSO bug from any AWS employees? More details about this bug described here: https://repost.aws/questions/QUgWVkIodQS1W3Yj8MYjInbA/cognito-auth-flow-fails-with-already-found-an-entry-for-username-username
AWS OFFICIALUpdated a year ago
