We have a Cognito user pool that we'd like to migrate to a new User Pool to take advantage of some different configuration. However, our pool contains users signed up with email, Google, and Facebook.
I understand how to migrate email/password accounts, but I do not understand how social accounts should be migrated.
From this issue, I can see that there's no way to use a different auth flow, so I'm guessing there's also some limitation surrounding social accounts as well?
One method that we had thought of would be to actually manually import the social accounts. Is this the correct way to handle migrating social accounts to a new pool? Is there a different "AWS Sponsored" method? Any help would be appreciated!
Thanks!
Commenting back with a solution that ultimately would have worked, but we are now starting to pick up a different auth provider instead, so opted not to do this.
The method that we would have used is to create the user in the new Cognito pool as a Cognito Native user. Then, during social sign in, you simply need to link the social account to the Cognito Native user.
For anyone just starting out with Cognito, I would highly recommend that you set up your presignup trigger to always create a Cognito Native user for each social sign in and link the accounts together right away. This will save you an enormous headache later on when you have duplicate accounts or need to migrate.
For reference, this answer describes how to set up the presignup trigger to handle the linking.
Related
I am creating an app using vue3 and amplify. My app needs to have 2 different user types. I am able to add 1 user type using amplify auth API and that user type is able to register and log in. However, when I do amplify add auth to add a second Cognito pool, I get the result: "Auth has already been added to this project. To update run amplify update auth."
Is there a way to support this either through amplify studio or amplify cli?
No, it is not possible to add two user pools. Instead, you can use single user pool and create different groups for different user types inside that user pool.
Could you elaborate more on your user case? If you really need two user pools, there might be also advanced ways to solve your case. For example, using Cognito Federated Identities (identity pools) and adding two user pools as authentication providers.
I am working on a Project and in there I have used AWS Cognito for basic Authentication for My Web Application; In this web Application I am providing multiple role-based Authentication (Like Super User, User, Admin, Super Admin) and for that right now I have created different Userpools for each. Is there another way to achieve the same functionality? like I can use single Userpool and still can achieve Role-based Authentication. Also, which one is the Appropriate?
You can setup different groups in the same Cognito User Pool.
In your case Super User, Admin and Super Admin. Then assign your users to the group that they belong to. In your backend code you will then need to check what group the user is in by looking up the group that the user belong to.
See this link for more details: cognito-user-pools-user-groups
I volunteer at a small local school that teaches data science and I'm trying to understand the procedure behind federated logins, but the Amazon documentation isn't helping and their forums don't seem interested.
We'd like for the students to be able to sign in to our AWS environment using either Facebook, Google, or Amazon.com, instead of manually trying to create a user for everyone who signs up.
The main thing that's unclear is how the students should sign in. Do we need to create a custom webpage using the provided javascript or .net code? We would have to contact our web developer if so. Or do we use the provided domain name? (in this case, https://weclouddata.auth.us-east-1.amazoncognito.com) This comes from the Cognito user pools though, and doesn't seem like it would apply. Besides, when I use it in conjunction with the Google client ID, I get an "invalid request" error.
You can create a custom app "Identity Broker" to create a URL that lets users sign in with Facebook/Google credentials and securely access the AWS Management Console. The broker would perform the following steps:
Verify that the user is authenticated by identity system(Facebook or Google) or use AWS Congnito.
Call the AWS Security Token Service (AWS STS) API operations to obtain temporary security credentials for the user.
Construct a URL for the console that includes the token and redirects the user to the URL on the user's behalf.
Amazon Cognito lets you to easily create customizable UI to sign in users and provides built-in federation with Facebook, Google, Login with Amazon. So you don't have worry about authentication and concentrate building your actual logic(above steps)
Here is a sample app from AWS that shows how to implement a single sign-on solution with C# and windows AD.
Python Code:
Here is the python code on how to construct the console login URL. I have used the sample python code from AWS and 'Hello world' flask app. When you hit the URL it should redirect to the console login, you can set permission using IAM role.
You can provide any login mechanism (Facebook, Google, Amazon etc) to create student account first time.
Ask user to create account using any app login (Facebook, Google, Amazon etc)
On successful login, create user in AWS using https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html API.
Add newly created user in the group https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html
You can create the user group with some specified roles and give permission (Launch EC2 Instances, Access to DynamoDB etc) accordingly.
Me and my team are implementing a product based on microservices architecture(every microservice has it's own data storage). We already have a couple of services deployed on AWS and we need to add an ability to save user preferences like:
Saved filters to query data
UI widget settings
Columns order
etc
I think that we have the following options to implement saving user-preferences in my case:
Extend user profile(it is used to store companies and users, roles) service and add new items there
Create new microservice for keeping only user preferences
Use some of AWS services for that(I am still checking what is the best)
What we use for security:
AWS Cognito
SAML IDP
JWT tokens
We also have user-profile microservice(I mentioned earlier). It contains data received from other products like admin service.
What do you think? What is the best option for my case?
You can use custom attributes (as suggested by #jarmod) if you only use Cognito userpools. But if you use other providers like Microsoft ADFS, Google, Facebook etc., you could look into Cognito Sync. Although Cognito Userpools now support some external providers, it may not be suited for your use case. So, you could integrate various Auth providers (including Userpool) in an Identity pool and use Cognito sync datasets to store preferences. In fact, that is the whole point of Sync, to provide cross device access to small datasets like user-preferences. This way if a user logs in with Userpool & later with Facebook, you could give an option to link both accounts in your application & merge the user preferences. It all depends on your use-case.
I am using AWS Cognito. I have a pretty common scenario: users can register in different roles. Depending on the role different user attributes are required, so I need to use different user pools.
Now a user wants to upgrade from role A to role B - thus I would have to move his account from one pool to another. Is this possible with AWS? The response in Can you export/migrate users out of AWS cognito, does it cause vendor lock-in? seems to indicate the opposite.
If not possible this way, what would be a viable solution to achieve requiring different user attributes depending on different user roles with AWS Cognito. (NOTE: requiring / verifying them only on the front end is not a viable solution)
I know this question is a bit dated, but it is possible that this scenario is best solved by using Groups instead of a separate user pool for each role. See here
If you reach this link to find out how to transfer users to a new pool (for instance, you needed to create a new user pool in order to change how your users log in), then there isn't a built in way to do this. However, there are solutions that you could build in order to migrate users, which is referenced here:
Create your new user pool.
Modify your client to do the following:
On failed sign in with new user pool, attempt sign in with old user pool.
If existing user pool sign in is successful, use the username and password that was submitted to the existing sign in to create a user on the new user pool.
Possibly do something to remove the user from the old user pool or mark as migrated.
You can export users and import them to a new user pool with a CSV file, but your users will have to change their password.