- Newest
- Most votes
- Most comments
I discovered some relevant information on Stack Overflow that may explain why the Cognito postAuthentication Lambda trigger is not being invoked after calling AdminLinkProviderForUser.
If the user logs in with a connected provider account, it appears that the Lambda triggers for pre/post-authentication and post-confirmation do not fire. Furthermore, if you try to manually change the provider's user inside Cognito, you may still run into problems, such as the email verified attribute being set to false.
Some alternative solutions are:
Some providers supported by Cognito, such as Google, have an 'email verified' attribute that you can directly map in the Attribute Mapping section. By doing this, you can solve the issue for those specific providers.
For providers that don't natively have the 'email verified' attribute, such as Facebook, you can enforce its verification through the pre-token trigger. In the Lambda function invoked by this trigger, you can check if the user getting authenticated has a provider linked to it and, at the same time, has its email_verified attribute set to false. If these conditions are met, you can update the user using the adminUpdateUserAttributes method before returning to Cognito. This ensures that the email_verified attribute is always set to true, regardless of any subsequent provider login that might flip the attribute back to false.
Relevant content
- asked 6 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Did you ever find a solution to this? We have encountered the same issue and the only comment here did not help address the core issue of the postAuthentication lambda never getting triggered..
Matt, I don't remember well at this point, but this issue went away for us a while ago. At the time we believed that AWS had fixed the regression on their end. Our current solution has a shared handler for both
postConfirmation
andpostAuthentication
hooks, so it's possible that between both of those flows we covered all of our needs