amazon-cognito-identity-js icon indicating copy to clipboard operation
amazon-cognito-identity-js copied to clipboard

Published 20 hours ago verified publisher icon amazon-archives

Possible bug: Userdata from federated identities incomplete

Open jonasao opened this issue 7 years ago • 3 comments

I am currently using this SDK to authenticate users using the hosted UI-flow.

The authentication process works fine, but there seems to be some problems with the data stored in AWS Cognito user pool for users authenticated via a federated identity.

Note: My AWS Cognito user pool is set up to allow users to sign in using their e-mail address as username.

Scenario 1

I am attempting to retrieve a user by his/hers e-mail address using python/boto3 with the following method: CognitoIdentityProvider.Client.admin_get_user()

boto3 docs: CognitoProvider.Client.admin_get_user()

If I pass the user's e-mail address to this method, the following results are returned:

  • User registered by AWS Cognito admin - match
  • User who registered via the AWS hosted UI e-mail/password form - match
  • User who registered via a federated identity - NO MATCH

Scenario 2

If I pass the AWS Cognito username to the same method, the following results are returned:

  • User registered by AWS Cognito admin - match
  • User who registered via the AWS hosted UI e-mail/password form - match
  • User who registered via a federated identity - MATCH

The boto3 method accepts Username as parameter, which makes Scenario 2 returning the correct results.

Since I have configure my AWS Cognito user pool to accept sign in/login using e-mail address as username the results returned in Scenario 1 also makes sense, disregarding the lack of information for users obtained via a federated identity.

To me it seems that federated identity users lacks some sort of data in AWS Cognito, excluding them from the type of search performed in Scenario 1. It seems that the users created via a federated identity is missing the same "link" between username and e-mail address that the users created via admin or the sign-up form has. (In either scenario it seems that the boto3 method does its job perfectly.)

jonasao avatar Nov 17 '17 13:11 jonasao

The AdminGetUser call returns the user attributes so can you please elaborate how are you determining "User who registered via a federated identity", is this based on a custom attribute?

rachitdhall avatar Nov 17 '17 19:11 rachitdhall

No, this is determined by the username, which is prefixed with the federated identity provider used when authenticating the user. E.g. users authenticated via Facebook will be prefixed 'Facebook_XXXXX'. The generation of users in the AWS Cognito userpool is beyond my control, and done automatically.

My test code follows the example code referenced here: amazon-cognito-auth.js

jonasao avatar Nov 20 '17 07:11 jonasao

Do you have aliases enabled on your user pool?

itrestian avatar Dec 21 '17 19:12 itrestian