- 最新
- 投票最多
- 评论最多
Hi,
Account linking in Cognito has to be between an existing native user and a non-existent external identity. if the external identity already exists in the user pool, you have to delete that external identity first using AdminDeleteUser then use the AdminLinkProviderForUser API to link the native user to the external identity. In all cases, you will need to return an error from pre-signup trigger and re-try the sign-in from client side, since there is an existing session already for the user with the external provider the retry should seamlessly allow the external user to sign-in as the native user.
Please make sure you properly review your flows from security standpoint, if you generate temporary passwords for native users make sure you use strong random password that can't be guessed and ideally in account linking scenarios you should have an account verification step before linking, for example during pre-signup you detect that user already has a native account then use a custom workflow to send linking request to the email address and only when this link is clicked (which verifies that the owner of the email is the same person and approves linking) then you should link the accounts using AdminLinkProviderForUser. Alternatively, if you receive a flag from the external provider that email_verified is true then it could be safe to link the two identities together, don't link identities for which email is not verified.
相关内容
AWS 官方已更新 10 个月前- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
When a native user already exists and a user then register via google using same email, in that case I am linking the users in preSignup but even in this case , I get this error #error_description=Already+found+an+entry+for+username+google_100781687722207451594+&error=invalid_request
Now the flow works if I throw an error after linking the accounts but the error at the client-side is always the same but I want the error to be whatever I throw in presignup. Is there any way to structure the error so that client-side can get the exact error whatever i throw from presignup trigger.