Integrate facebook/google login to userpool

[sanjosedennis7593]

Hi guys,

Anybody out there know how to integrate facebook/google login to userpool ? Can you provide a detailed instruction? I've been struggled with this issue for the past few months now. I can't find any documentation on how to merge it properly.

Below are some of the use case scenario that i want to happen in my app.

1. If i register using social media provider (facebook, google), then it will get all of the user details and save it to userpool automatically. (This will only happen if the email is not exist in the userpool)
2. Merge all account of the same email of different social media account provider. (If the account is already in the userpool, regardless of the social media provider i chose, it will still map to the same user information based on the email i logged in using the social media account i chose).

If this plugin doesn't support the integration of social media account provider to userpool, is there any other way or workaround to make it happen to my app? I did a research about this one, and still some developer still got no luck.

[epicfaace]

You can integrate facebook/google login to an identity pool through the federated options in the Amplify Auth API. I don't think Amplify supports connecting it to a user pool yet.

[raf202]

You should check https://github.com/aws/amazon-cognito-auth-js/. But it's not perfect too, achieving this with Cognito is either poorly documented / undocumented or currently broken. Looking for a solution as well

[vonkanehoffen]

I think that amazon-cognito-auth-js package has been superseded by aws-amplify now hasn't it @raphadko ?

I'm struggling with this still too though. I see in the docs here that Auth.federatedSignIn looks like it does the trick, but when I use it like in the example, passing it the jwt token from ga.signIn I get nothing back and Auth.currentSession reports no signed-in user. .....might open another ticket if I can't figure out what the problem is soon :-)

[raf202]

Did you find a solution?

[syang]

I think item 1 is a commonly needed feature for a web app (though Item may be a bit advance and not necessarily needed by every web app), has it been supported by Amplify?

1. If i register using social media provider (facebook, google), then it will get all of the user details and save it to userpool automatically. (This will only happen if the email is not exist in the userpool)

[0xdevalias]

It seems that using the 'hosted web UI' we can enable federated social logins with just a userpool, no identity pool required. Though as best I can dig my way through the Amplify documentation, the built in UI components only allow federated login against an identity pool. It would be nice if AmplifyJS could support this same method (or if it already can, updated documentation on how to)

The following links speak more generally to how to link a Social (federated) login with a user in the user pool (assuming they haven't logged in with that social login before)

• https://forums.aws.amazon.com/thread.jspa?threadID=261470
• Link identities from different Federated providers amazon-archives/amazon-cognito-identity-js#560 (comment)
• https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-link-provider-for-user.html
  • "This allows you to create a link from the existing user account to an external federated user identity that has not yet been used to sign in, so that the federated user identity can be used to sign in as the existing user account."
• https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-disable-provider-for-user.html

[mickadoua]

Any update about this?
I don’t understand why is so complex to achieve this simple task,

My final goal is to know who call my Lambda (with API GW) to adapt rules please

[erodrig]

Hello ? it is true that react components only work with identity pool ? I need the users registered when login from social media,.

[andywgarcia]

I have the same requirement as @mickadoua which is to use the cognito integration on API gateway and know who is calling the API, but allow users to sign in with Facebook. I don't see a way to do this through the SDK.

[anuradhawick]

Can anyone give an update on this thread?
I intend to link the users to cognito user in the pre sign up trigger. However, it fails with error "Already found an entry for username Facebook_4567890456789067". Apparently adminLinkProviderForUser creates a user and sign the user up in the pre sign up stage failing the flow. I have been working on this for several days without luck. Thanks in advance.

[hakimio]

@anuradhawick Did you find any solution for the adminLinkProviderForUser issue?

[anuradhawick]

@hakimio actually No. I made a workaround my self by handling the error from front end. You can have a look at this. https://github.com/anuradhawick/vinly-search/blob/master/viny-site/src/app/shared-modules/auth/auth.service.ts

If it fails with Google, we can force signup with Facebook and vice versa. (You can give a custom message and proceed). For me this is the best way as I deal with senior users. However. from back-end I make the record in DB and Userpools that they have both FB and Google accounts so in future there won't be an error.

Did you have anything else in mind? The way to go could be failing first followed by user logging in with original account and later link the new social account.

[hakimio]

@anuradhawick Thanks for sharing your solution.

In our case we have admin added users to Cognito user pool, then in PreSignUp_ExternalProvider Cognito hook we check if the user trying to login with social provider is one of the already existing users and if it is, we use adminLinkProviderForUser to link social provider account to Cognito user. The first time it results in Already found an entry for username error because both adminLinkProviderForUser create a new user and the sign-up itself tries to do it as well.

It seems to be well known Cognito issue, but it doesn't seem like it's a high priority issue for AWS devs.

I think for now we'll just retry on error as well, since there is not much else to do.

[Amaanuddin]

Did anyone resolve this issue?

[hakimio]

@Amaanuddin The only "solution" is to just retry when you get Already found an entry for username error because of adminLinkProviderForUser(). Second login attempt always succeeds.

[tvb]

@Amaanuddin The only "solution" is to just retry when you get Already found an entry for username error because of adminLinkProviderForUser(). Second login attempt always succeeds.

@hakimio do you mean by retrying to retry the complete auth flow? Because this means the end user will see the Social Provider authentication popup/window twice on the first attempt. Kinda sucks and is bad UX.

[hakimio]

@tvb The second time the user won't have to confirm or select anything unless he is using incognito mode. He will only see the browser page reloading.
If you don't like this workaround, you'll have to create some separate UI for linking accounts and only allow to login with social provider once this is done.
Anyway, you can tell AWS Cognito developers that they are doing a craptastic job, but it doesn't seem like they care.

[tvb]

@tvb The second time the user won't have to confirm or select anything unless he is using incognito mode. He will only see the browser page reloading.

If you don't like this workaround, you'll have to create some separate UI for linking accounts and only allow to login with social provider once this is done.

Anyway, you can tell AWS Cognito developers that they are doing a craptastic job, but it doesn't seem like they care.

Hmm, I need to look into it again I guess, as I thought a reload wasn’t enough to get it working

[mrgoos]

It's still not working and I can't see how it can be handled without promoting the login screen again.
I'm using SAML and in SAML flow the user must provide a corporate email.
So if it fails with Already found an entry for username I can catch it in the FE only and then I need to invoke Auth.federatedSignIn() again which will initiate the whole login screen from the beginning.
I hope it'll be resolved one day, one can hope 🙏

[hakimio]

@mrgoos
Here is Angular Google Authentication service which allows you to redirect user directly to google login without using AWS sign-in screen. If the user confirms Google authentication the first time and he is not using incognito browser mode, the second time he won't be asked to confirm again.
It has two public methods you can use in your app:

redirectToGoogleLogin(): void;
getTokens(): Observable<AuthenticationTokens | null>;

Should be possible to do something similar for Facebook as well.

[mrgoos]

Thanks @hakimio but Im using SAML so the IDP could be anything for me.
This is why I go through the corporate ID screen.

[tvb]

I'm struggling with this too still. I think we should ask the Cognito team to look into this, however I have no paid AWS Support subscription yet.

[hakimio]

@tvb They've known about this issue at lease since 2017 but they haven't done anything about it. They just don't seem to care.
They say it's done like that for some "security" reasons.

[tvb]

@tvb They've known about this issue at lease since 2017 but they haven't done anything about it. They just don't seem to care.
They say it's done like that for some "security" reasons.

Uhh

Due to the security expectation, we currently don't support implicit linking(linking based on matching email addresses for example) done via a pre-signup lambda trigger to achieve the automatic linking.We will take this as a feature request and support it in the future.

But they do allow, just only for one IDP. If you link multiple it will break..

[tvb]

Turns out the the hot fix by presenting the social login screen again only works with Google 😭

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.