According to Scopes for Google SignIn, there is no 'phone' scope, the only scopes are openid, email, profile.
My Cognito User Pool has a phone user attribute, and it is required.
For users who sign-up directly with the user pool, they enter their phone number in Amazon's hosted UI which displays a phone field in the sign up form, all good.
For users who sign-up with Google, they get an error. I've traced it to the fact that Google doesn't send over a phone_number and the mapping from Google to User Pools attribute fails. If I create a new pool, which does not require a phone_number federation to Google works, the moment I require that attribute it fails, despite the fact that the Google Account I test with has a phone_number.
Is mapping phone really not possible when sign in with Google federated to Cognito User Pool?
Is it possible for the the hosted SignUp UI to show a field for my Google users asking them to fill in the phone number between them authenticating with Google and the hosted UI redirecting to my redirect URL?
Alternate solutions?
I also faced the same issue. To get this to "work" I had to sadly remove the phone number requirement which also meant I had to make a new user pool.
Now AWS provides phone scope
Step-1 Go to user pool's App client settings page.
Step-2 click the phone option.
Step-3 Go to user pool's Attribute Mapping page page.
Step-4 Map external identity provider's attribute to user pool attribute. (I am using Google)
Related
I want to make a simple flow for registration app.
User sign up with only email -> The verification/registration link is sent to the email -> People register (putting in their password) on that link
I've googled anything but haven't found any way to make it with AWS Cognito.
Looks like Cognito is forcing users to sign up with at least email AND password to get the confirmation link
You can sign up users with adminCreateUser API call. They will receive an email with temporary passwords. This approach is configurable.
See: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
Use: AdminCreateUser
Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API. Specify the temporary password(will be your user's password) or allow Amazon Cognito to automatically generate one.
Specify whether provided email addresses and phone numbers are marked as verified for new users.
Specify custom SMS and email invitation messages for new users via the AWS Management Console.
Specify whether invitation messages are sent via SMS, email, or both.
After successful user creation,
1. authenticate user using same user credentials
Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)
2. After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.
3. Use RespondToAuthChallenge(Username, <SRP variables>, PASSWORD_VERIFIER
4. Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.
5. The user is prompted and enters a new password and any missing values for required attributes.
6. Call RespondToAuthChallenge(Username, <New password>, <User attributes>).
7. After successful password change user can be able to login using same credentials added by you.
Short answer
- In that case, you can specify the temporary password(will allow Amazon Cognito to automatically generate one.).
- all user users will be forced to change their password only at first login.
While using Android SDK Cognito does not add users automatically to the user pool if user logins with a 3rd parth identity provider like Google or Facebook.
What is the best way to do this? Should I register user from Android app?
After successful login I can look for the user with the related email and that I can show a user information for to let them enter their info.
Thank you.
What worked for me - let the users authenticate using Cognito (not FB or Google directly). The Cognito logon page can further delegate the social network authentication and adding users to the user pool
https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html
(I know this is the web endpoint)
I can show a user information for to let them enter their info
the id_token received after logon contains the user email if you request it, you don't need to add users to the pool to get this information
I would like to use a Cognito User Pool for Facebook logins only, which may be possible using the built in login form, but I need to use my own.
Theoretically, when it comes to a custom form, it shouldn't be hard: after I receive a user object from FB, I bind the user and email attributes to the ones in my User Pool and I save it.
But what to do about the password field and future authentication? And here I have failed during my journey...
...
userPool.signUp('FoobarUser', '**password?**', attributeList, null, function(err, result){
...
While digging deeper into the docs, I tried to implement a Identity Pool (Federated Identities), managed to save user info in the form of datasets as well, but then I realised, querying these sets gonna be a huge pain if possible at all.
Maybe I'm failing to understand the concepts, I would be really thankful if someone could suggest a way to manage facebook logins in a nicely organised fashion using Cognito.
So here is what I understand from your query.
Setup
Link Facebook to userpool
The app client allows only Facebook login, no other providers allowed (not even Userpool)
On login, you want Facebook user's info to be automatically populated in your Userpool
You don't want to use Cognito's builtin UI but use your own
My 2 Cents
In your app client, just select Facebook
In your UI, have a login button. On clicking it should redirect to your userpool's authorization endpoint
https://your_domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=https://www.example.com&response_type=token&client_id=your_appclient_id
If you want to use your own UI with multiple providers, allow the same in Client and on clicking the appropriate button in your UI (say Facebook), redirect users to the authorize endpoint but append the identity_provider in the URL
https://your_domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=https://www.example.com&response_type=token&client_id=your_appclient_id&identity_provider=Facebook
If you want to see the names of all supported identity providers, use ListIdentityProviders API call
This way, all Facebook users will be automatically created in your userpool. Of course, their names will be random like Facebook_123jkjdwj but all their details will be correctly populated from the token as per your attribute mapping. As a plus, all auto-created users from a particular provider are added to an auto-created group 'Userpoolid_providername' eg. us_east_1_xxxx_Facebook.
Once the cognito-id is created for a user logging via. google, how to find the email id of the user.
As shown in the above picture, I can find the cognito-id, but couldn't find any other information that google could have supplied when the user logged in.
Any help is appreciated.
Thanks in advance,
First make sure you provide email in scopes. Usually the scope is defined as profile email openid.
Next you have to "Configure attribute mapping" which is on the bottom right of the "Identity providers" section. There you can map Google's email attribute to the Email attribute of the user pool.
You'd probably have to remove users from the pool that logged in prior to the additional configuration to properly fetch the attributes. You can do this by clicking on the google user in the user pool then click "Disable" then "Delete". For example, I couldn't see the picture attribute of a google user until I removed my user from the pool and logged in again.
You should now be able to see the email attribute (and other properly configured) when you click on the user. You should also be able to see these attributes when you decode the id_token and when you call the <AUTH_DOMAIN>/oauth2/userInfo endpoint.
Cognito leverages these tokens to sign in users, but doesn't store any additional metadata against the user. It doesn't track any of it, so you won't see it there. To do so, you'd need to grab it from Google during sign in, and either store it in Cognito sync or in an external datastore (e.g. a dynamo table keyed by identity id).
Is it possible to register Facebook account without having email tied to that account? I am asking because in some responses (1 out of 10000) I don't get email (I have perms="email" in request to API)?
Anyone have experience with this problem? What response do you display to user in this case?
Actually it is possible, for the case user signed up via facebook mobile app on a phone, and registered using a phone number.
email permission isn't one that blocks user from logging in, once granted it can be removed manually by user and he can avoid granting it in the future interactions with your app/site.
At least Facebook's JavaScript SDK passing user identity even if user skip granting email permission.
It is not possible to register a facebook account without an email. If you have users connecting your application but you can't see their email address, they probably denied permission.
It's not possible to have a facebook account without email, but it's possible to have it with unconfirmed email, in which case it's not provided via API:
Facebook Email field return null (even if the “email” permission is set and accepted)