Link identities from different Federated providers

[dbeja]

Hi,

I'm using a federated pool with a user pool and some social providers (Google, Facebook).
What should be the approach to link identities if they connect using different providers (the same email in all providers)?

Thanks!

[itrestian]

You would have to call the 'admin link provider for user' from your backend to link them based on common attributes.
http://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-link-provider-for-user.html

[dbeja]

Ok, I see. Thanks for the link

[prem911]

@dbeja @itrestian Any solid examples of adminLinkProviderForUser?

The documentation is on the difficult side to follow.

Is it possible to link an unconfirmed pooluser with a google or a fb account?

[saintberry]

@prem911 The documentation is confusing however the answers are there. I find consulting the AWS REST API docs (what all the SDKs call) far more useful than the SDK docs.

I used these params to link a Facebook account to a email/password account in my user pool. Note you do this before the Facebook account has been created (more on that below) otherwise you will receive a SourceUser with the specified attribute value is already linked to another user error.

  const params = {
    "DestinationUser": {
      "ProviderAttributeValue": "<user id of the cognito user-password user>",
      "ProviderName": "Cognito"
    },
    "SourceUser": {
      "ProviderAttributeName": "Cognito_Subject",
      "ProviderAttributeValue": "<id, sub, or user_id value found in the social identity provider token>",
      "ProviderName": "Facebook"
    },
    "UserPoolId": "<poolid>
  };

If I pass these params to a call to adminLinkProviderForUser I get an empty {} 200 response indicating the accounts are linked.

Following that I can sign in with my Facebook account and see that no new Facebook account is created in my pool (yay).

After I generate keys for the user that has just logged in and I decode the id_token I can see the token reflects my email / password user. This would indicate the linking was successful.

@itrestian This all looks good, however the linking relies on using a value in the id, sub, or user_id value found in the social identity provider token.

So how is the flow supposed to work? I can't get that info until someone goes through the oauth flow with a provider. How can I hook into that flow, get the id, sub, or user_id to perform the linking?

In order to do the social login I'm doing the GET amazoncognito.com/oauth2/authorize?identity_provider=Facebook&response_type=code then POST amazoncognito.com/oauth2/token approach.

[iDVB]

I'm in the same boat as @saintberry
I'm currently running this in the presignup trigger
If I start with a single user in the pool that is a basic user:pass user and then I try to sigin with Google of a user with the same email. Then inside my function I try to find a matching email in the pool and if so, I link that account with the google one.

When no errors occur, I end up with two users (UserPassUser + GoogleUser) and additionally the UserPassUser now has an "identity" field that contains the Google user data.

Is there a way to prevent that extra user from being created? Is there a better place to put this code in the Cognito trigger/lifecycle flow?

[Birowsky]

@iDVB @saintberry did you figure out the flow? Did you find a more appropriate trigger that provides the id of the federated user account? Is there anything between PreSignUp_ExternalProvider and PostConfirmation_ConfirmSignUp?

[Birowsky]

Darn it, I think I found it: directly in the event object, there is userName field with this value:Facebook_10155611263153432. The second part is the same with the userId that we get in the PostConfirmation_ConfirmSignUp trigger. Which is nice. But, this never ending cognito saga kept the best for last: "Already found an entry for username Facebook_10155611263153432". I mean.. seriously? I completely clear up the user pool before trying.

Anyone else faced this?

(Just as a reference, I call adminLinkProviderForUser within the PreSignUp_ExternalProvider trigger)

Posted this here if anyone interested: https://stackoverflow.com/q/47815161/592641