By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito `postAuthentication` lambda never gets triggered after AdminLinkProviderForUser

1

Hello,

We believe we have noticed a regression in a Cognito flow. If we create a user w/ AdminCreateUser, and then that user uses Google to sign in, we call AdminLinkProviderForUser inside of in the preSignUp lambda. When this flow happens, the postAuthentication lambda never gets triggered. This used to work but now doesn't.

  • Matt
    6 months ago

    Did you ever find a solution to this? We have encountered the same issue and the only comment here did not help address the core issue of the postAuthentication lambda never getting triggered..

  • dobrynin
    6 months ago

    Matt, I don't remember well at this point, but this issue went away for us a while ago. At the time we believed that AWS had fixed the regression on their end. Our current solution has a shared handler for both postConfirmation and postAuthentication hooks, so it's possible that between both of those flows we covered all of our needs

Topics
ServerlessComputeSecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
ServerlessAWS LambdaAmazon CognitoSecurity
Language
English
dobrynin
asked a year ago585 views
1 Answer
0

I discovered some relevant information on Stack Overflow that may explain why the Cognito postAuthentication Lambda trigger is not being invoked after calling AdminLinkProviderForUser.

https://stackoverflow.com/questions/68859052/aws-cognito-email-unverified-on-main-account-after-adminlinkproviderforuser

If the user logs in with a connected provider account, it appears that the Lambda triggers for pre/post-authentication and post-confirmation do not fire. Furthermore, if you try to manually change the provider's user inside Cognito, you may still run into problems, such as the email verified attribute being set to false.

Some alternative solutions are:

Some providers supported by Cognito, such as Google, have an 'email verified' attribute that you can directly map in the Attribute Mapping section. By doing this, you can solve the issue for those specific providers.

For providers that don't natively have the 'email verified' attribute, such as Facebook, you can enforce its verification through the pre-token trigger. In the Lambda function invoked by this trigger, you can check if the user getting authenticated has a provider linked to it and, at the same time, has its email_verified attribute set to false. If these conditions are met, you can update the user using the adminUpdateUserAttributes method before returning to Cognito. This ensures that the email_verified attribute is always set to true, regardless of any subsequent provider login that might flip the attribute back to false​.

profile picture
EXPERT
Sedat Salman
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content