I created a Cognito User Pool and used the Federated login ( to Facebook )
However when the application goes into testing I foundout that lots of Facebook user do not have "email" which cause the whole login process to fail!
Worse than that, I found out that it is not possible to remove "required attribute" after user pool creation
Also there is no way to easily migate user from one pool to another ( I am exclusively using fedarated login, so no password needed however )
Have anyone get into the same issue and came up with a solution?
As far as I know An attribute cannot be switched between required and not required after a user pool has been created.
I suggest you:
Wanna keep current Userpool -> Create a lambda function, then you can add the required attribute at the pre-sign-up step.
If all user is from Facebook -> Create a new Userpool then export, and import user again. I think no problem in this case because Facebook AppID is same
If your attribute is required, the cognito signup call will fail because of the required attribute. I'm pretty certain it won't even call out to your presignup trigger. That's been my experience at least.
Related
In my app, users are only allowed to sign in using google. However, I need to keep track of which users are considered "admins" in my system, and allow admins to promote other users to also be admins. For this, I have a custom attribute in my Cognito user pool called 'admin'.
However, when I tried using Auth.userAttributes, I ran into the error that it expects a CognitoUser object, and Auth.currentAuthenticatedUser isn't returning a CognitoUser object. After some researching, it looks like it just returns whatever it gets from the federated sign in process. Looking at my user pool, it would seem users also aren't being assigned anything at all for my custom attribute.
I'm thinking I may need to use lambda triggers? But which triggers do I use, and how do I get Auth.currentAuthenticatedUser to return a CognitoUser object? I'm thinking I'll at least need a trigger to check if a user is signing in for the first time, and to set the admin attribute to 0. But then do I use Auth.signIn? Also, from https://github.com/aws-amplify/amplify-js/blob/a047ce73/packages/auth/src/Auth.ts#L1191, the source code for Auth.currentAuthenticatedUser, it looks like it only looks for the user in the user pool if the cache doesn't have any entry for 'aws-amplify-federatedInfo', which is added when I use Auth.federatedSignIn. So do I need to clear that?
Thanks in advance. Any info or advice is appreciated.
Tricky! I agree this should be easier. I'd leave the cache alone. Try bypassing the cache.
import { Auth } from 'aws-amplify';
Auth.currentAuthenticatedUser({
bypassCache: true // If set to true, this call will send a request to Cognito to get the latest user data
}).then(user => console.log(user))
.catch(err => console.log(err));
Why? currentAuthenticatedUser() is returning a FederatedUser when this is somewhat helpful because the ideal response would be a CognitoUser. bypassCache alters the response of currentAuthenticatedUser().
May your app bring great felicity!
I am trying to use AWS Cognito for my app.
I can register the users successfully to AWS Cognito, but I want to be able to also store them in my database (with my own API), too, as part of the sign-up process.
I saw that I could use a trigger function like Post confirmation, but as far as I understand, if saving the user to my database fails, then the user will still be created in the Cognito user pool.
I want to treat the sign-up process in a transactional way, so that if saving the user in my database fails, then the entire process fails.
So, it would look something like this:
Aws Cognito Sign Up -> Send_to_database_trigger ----fails----> user is not created
\---success--> user is created
Is there any way to achieve what I want? Thanks.
You can use the Pre Sign-up Lambda Trigger.
It gets the username and all the user attributes in the event and if it fails the user won't be signed up in Cognito.
In your case, you will save your user to your database in this trigger (after other possible validations) and will fail if saving to your database has failed. This way you can be sure that if a user exists in Cognito it also exists in your database.
If you need to save the sub then you can implement both Pre Sign-up and Post Confirmation and update your database record with the sub in the Post Confirmation trigger.
Cognito has a migration lambda that allows us to confirm a user in our db. They send the email and PW to Cognito, the lambda fires, we verify matches, and the user is entered into Cognito.
At this point - behind the scenes - Cognito generates a username of some kind (UUID). The problem is, I need a way to get this username into our existing database, because our systems going forward will no longer rely on email and instead rely on this username.
Ideal flow:
Sign In
Migration Succeeds
Cognito generates username
Username is sent to our server.
Now because we have email set to auto-verified, no post-confirmation lambda can be called. The only way I see to do this with Cognito as-is is to either:
Ask users who already exist in our system to confirm their email again. This is a non-starter
Create a post-auth lambda, check user login count through a custom attribute, and if 0 (or if not already registered with the service, etc.) migrate the username to the new service.
If there is any other way to do this, please let me know.
After the user migration lambda is called your pre sign-up lambda will be called, assuming you have implemented it. The parameters received by your lambda will include username with the value being the UID you referenced. Parameters will also include user attributes containing email. You can use this information to update your database.
I did not want to add the PreSignup trigger, its a complicated way of doing it if you already rely on PostConfirmation, and if the majority of new users won't be migrations. My use case has a frontend initiate the signup process as well, which I use here.
Instead, I set a Cognito attribute on the new user during the UserMigration trigger. It could be 'user_migration': <oldUserSub>, or however you want to mark it. Just make sure you allow this property within the Cognito user pool settings.
When the UserMigration trigger returns, this information is now accessible through verifying the IdToken, or found in the JWT on the frontend if you're using that. So, when the user is migrated into Cognito and the response gets back to the Cognito client on the frontend, I can now recognize this user needs to be migrated into my personal database. Seeing this, I'll call a new endpoint on my backend to handle this. This new endpoint does exactly what PostConfirmation would typically do.
Then just delete the 'user_migration' property from the Cognito user, return the new user data to the frontend and everything should be set up.
You can use Pre sign-up trigger. In order to detect if the trigger event came from your migration trigger, you can check at the trigger_source value from the event object. In my case (i'm using migration trigger) the value is PreSignUp_AdminCreateUser. By knowing the value of trigger_source you can differentiate if it was migrated or regular user. You can also check the user attributes to know whether the email or phone is verified or not.
Here's my sample code on python:
def lambda_handler(event, context):
trigger_source = event.get('triggerSource')
user_attributes = request.get('userAttributes')
email_verified = user_attributes.get('email_verified')
if trigger_source == 'PreSignUp_AdminCreateUser' and email_verified == 'true':
# create user on db
I would like to use a Cognito User Pool for Facebook logins only, which may be possible using the built in login form, but I need to use my own.
Theoretically, when it comes to a custom form, it shouldn't be hard: after I receive a user object from FB, I bind the user and email attributes to the ones in my User Pool and I save it.
But what to do about the password field and future authentication? And here I have failed during my journey...
...
userPool.signUp('FoobarUser', '**password?**', attributeList, null, function(err, result){
...
While digging deeper into the docs, I tried to implement a Identity Pool (Federated Identities), managed to save user info in the form of datasets as well, but then I realised, querying these sets gonna be a huge pain if possible at all.
Maybe I'm failing to understand the concepts, I would be really thankful if someone could suggest a way to manage facebook logins in a nicely organised fashion using Cognito.
So here is what I understand from your query.
Setup
Link Facebook to userpool
The app client allows only Facebook login, no other providers allowed (not even Userpool)
On login, you want Facebook user's info to be automatically populated in your Userpool
You don't want to use Cognito's builtin UI but use your own
My 2 Cents
In your app client, just select Facebook
In your UI, have a login button. On clicking it should redirect to your userpool's authorization endpoint
https://your_domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=https://www.example.com&response_type=token&client_id=your_appclient_id
If you want to use your own UI with multiple providers, allow the same in Client and on clicking the appropriate button in your UI (say Facebook), redirect users to the authorize endpoint but append the identity_provider in the URL
https://your_domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=https://www.example.com&response_type=token&client_id=your_appclient_id&identity_provider=Facebook
If you want to see the names of all supported identity providers, use ListIdentityProviders API call
This way, all Facebook users will be automatically created in your userpool. Of course, their names will be random like Facebook_123jkjdwj but all their details will be correctly populated from the token as per your attribute mapping. As a plus, all auto-created users from a particular provider are added to an auto-created group 'Userpoolid_providername' eg. us_east_1_xxxx_Facebook.
I have a Cognito Identity Pool that is used to authenticate my front end users, as well as give them certain permissions in my application. However, I have encountered an issue with giving these users permission to access IoT, which involves invoking a Lambda calling iot.addPrincipalPolicy(), and once that is done then everything works flawlessly.
However, the issue I am facing is that right now I am running this function is being called every time my user requests authentication, when it really only needs to be ran when the user signs up. Is there a way to make sure that it only gets ran once? I was thinking of using a Cognito User Pool trigger, but that will only work for my users who authenticate with Cognito and not with Facebook or Google.
So basically, I would like to only call this function once, the first time that the user gets an Identity Pool ID. Is there a way I can do this that will work for all login methods?
As I don't have enough rep points to simply put a comment, I will leave this here just in case it helps you.
Cognito User Pool recently gained support for Facebook and Google identity providers, so you COULD user a User pool trigger if needed.
http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social.html