By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Error Invalid ProviderName/Username combination after AdminLinkProviderForUser using Azure OIDC

0

I have federated (OIDC) access enabled on my user pool the provider is Azure AD OIDC. My app requires users first to sign up using an email and password. Then, after their first login, I give them the option to enable: "Sign In with Microsoft." I created an Idp called "microsoft". When the user clicks "Sign In with Microsoft," (after initial login with email/password) I noticed Cognito tries to create a new Cognito user account with the same email, and to prevent the new account creation, my pre-sign up lambda triggers uses AdminLinkProviderForUserCommand to link the provider to the existing user like using the following params:

DestinationUser: {
    ProviderAttributeValue: '939c5abf-b932-4357-830f-4cb738a6a6e5', //existing cognito username
    ProviderName: 'Cognito'
  },
  SourceUser: {
    ProviderAttributeName: 'Cognito_Subject',
    ProviderAttributeValue: '8uugg06w2e8cbfbbzfdngsmenuzfyvyc_peznvmhzli', // cleaned up event.userName (origin event.userName: microsoft_8uugg06w2e8cbfbbzfdngsmenuzfyvyc_peznvmhzli)
    ProviderName: 'microsoft' //my Idp provider name
  }

The new identity gets added successfully with out any error to the existing cognito user.

[{"userId":"8uugg06w2e8cbfbbzfdngsmenuzfyvyc_peznvmhzli","providerName":"microsoft","providerType":"OIDC","issuer":null,"primary":false,"dateCreated":1709864300329}]

After liking the provider successfully, I get the error: Error Invalid ProviderName/Username combination. I don't understand Why? Help, please.

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAmazon Cognito
Language
English
David
asked 2 months ago197 views
1 Answer
0
Accepted Answer

I found the problem. After looking closely at the username (aka IdP sub) attribute, I noticed they were all lowercase letters. For some reason, Cognito is changing the sub sent by the IdP.

  • The sub return by Cognito mapped to username: microsoft_ggp_c-q7nrodmtft5r0gt79offfxwcjazbj37ncz0qa
  • After cleaning up, I was setting my SourceUser.ProviderAttributeValue to: ggp_c-q7nrodmtft5r0gt79offfxwcjazbj37ncz0qa
  • But the real 'sub' sent by the idp is: GGp_c-Q7nrOdmtFt5R0gt79OfFfXWcjaZBj37NcZ0qA (Notice the actual sub has uppercase, and lowercase letters) This results in error: Error Invalid ProviderName/Username

The fix is you have set your SourceUser.ProviderAttributeValue to original Idp sub.

  1. Go to Sign-up Experience
  2. Create a new custom attributes: 'custom:sub'
  3. Go to Sign-In Experience and click on your IdP provider, in my case I named it "Microsoft"
  4. Scroll down to the mapping section, and map 'custom:sub' to OIDC attribute sub
  5. Go to App Integration and click on your client app
  6. Scroll to Attribute read and write permissions, and make sure 'custom:sub' has read:write permissions (otherwise cognito won't return it)

Now update your AdminLinkProviderForUser function and set: SourceUser.ProviderAttributeValue to event.request.userAttributes['custom:sub']

I did an if statement because this is only needed for Azure AD OIDC, this code is not needed if you are using Azure SAML and other social provider

let SourceProviderUsername = event.userName.substring(event.userName.indexOf('_') + 1,);
const SournceProviderName = event.userName.substring(0,event.userName.indexOf('_'),);
//if idp provider is "Microsoft" I need to set the SourceProviderUsername to the real sub
if (SournceProviderName === 'microsoft')
SourceProviderUsername = event.request.userAttributes['custom:sub'];
// set the rest of the fields required to call AdminLinkProviderForUser

That was 3 days of battling this issue, I hope I can save you some time.

David
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content