amplify-js icon indicating copy to clipboard operation
amplify-js copied to clipboard

AWS-Amplify : Making Google account selector screen mandatory

Open mdsadique2 opened this issue 4 years ago • 58 comments

So I have implemented Google authentication by using AWS Amplify (federatedSignIn) in my React app. Apparently, I want to make the google account selector screen mandatory for the user to select an account to log in. Apparently, it works only when multiple google accounts are available to choose from, but if there is only one account, the system automatically uses it to login?

How can I enforce the selection screen with only one account?

mdsadique2 avatar Sep 19 '19 16:09 mdsadique2

Hey @mdsadique2,

Can you provide a bit more information about which framework (if any) and platform you are using for this?

jordanranz avatar Sep 19 '19 20:09 jordanranz

Hey @mdsadique2,

Can you provide a bit more information about which framework (if any) and platform you are using for this?

Sorry for not providing enough details, It is a React App which use AWS Amplify federatedSignIn feature to use google authentication

mdsadique2 avatar Sep 20 '19 06:09 mdsadique2

@mdsadique2 thanks for the additional detail. I marked this as a feature request to evaluate with the team.

jordanranz avatar Sep 24 '19 18:09 jordanranz

@mdsadique2 Are you doing federation with the Cognito User Pool or the Cognito Identity Pool? If you are using the identity pool you can use the google api ('gapi'), which should allow you to force the select_account screen. I am not positive how the would be accomplished with Hosted UI.

Update: This is actually not possible using the Cognito Hosted UI, but I have logged a ticket with the service team for their backlog. If you are doing federation with the identity pool, then it should possible by following the instructions in the docs linked to above.

haverchuck avatar Dec 12 '19 23:12 haverchuck

Semi-related, but is there a specific way to sign out a user authenticated via a social IdP, such that the next time they attempt to sign-in with that IdP, they aren't automatically signed in?

It seems my app maintains some sort of authenticated state, even when local storage appears to be cleared on sign out. When I sign back in, I can't even trigger a pre- or post-authentication trigger.

Possible related to https://github.com/aws-amplify/amplify-js/issues/3933

leosoaivan avatar Jan 13 '20 17:01 leosoaivan

semi-related: for those like me who spent a lot of time figuring how to force account selection: I am using withGoogle amplify-react component (so it think it is not using federatedSignin: it opens in a popup...), and I am able to overwrite the prompt param using the following:

const options = new gapi.auth2.SigninOptionsBuilder();
options.setPrompt('select_account');

Note that gapi is loaded by amplify automatically in my case (by withGoogle maybe?)

saadtazi avatar Feb 24 '20 15:02 saadtazi

@saadtazi, could you please clarify where exactly did you get withGoogle component? From the @aws-amplify/ui-react ?

beshur avatar Feb 23 '21 13:02 beshur

The hack that @saadtazi posted about won't work if you use Cognito user pools because it bypasses the user pool and instead calls federation against the identity pool. You'll only have the Google JWT, and not the Cognito user pool JWTs.

Here's the hack in question, and it's actually on amazon's docs under Identity Pool Federation.

https://docs.amplify.aws/lib/auth/advanced/q/platform/js/#google-sign-in-react

The code in question is

        const credentials = await Auth.federatedSignIn(
            'google',
            { token: id_token, expires_at },
            user
        );

The Auth.federatedSignIn() call has different signatures. When you call it like this, it will do federated sign in against the identity pool and not the user pool (as in calling it like Auth.federatedSignIn({ provider: 'Google' })).

My research has come up with nothing in terms of how to exchange the Google JWT directly for a Cognito User Pool JWT.

You can further find the same question here:

https://repost.aws/questions/QUVmaFYTE9Ty2Qlm2XTZ_csw/aws-cognito-how-to-force-select-account-when-signing-in-with-google

theogravity avatar Jan 05 '22 19:01 theogravity

I still got the same issue here which cannot select the account once signed in. Any update? Also found some related issue closed but don't have the way to resolve yet https://github.com/aws-amplify/amplify-js/issues/4720

bunditta-p avatar Apr 18 '22 08:04 bunditta-p

I can't believe it's been three years and nobody on the Cognito/Amplify team has addressed this 👎.

Please, guys. All we need is the ability to set prompt=select_account when we use Auth.federatedSignIn({ provider: 'Google' }). As a whole I really like Cognito for auth, but if this isn't resolved I'll be forced to move to a different provider which allows me to use this such as Auth0. This is really detrimental to the experience of our users.

S-Cardenas avatar Jun 15 '22 14:06 S-Cardenas

We're moving to FusionAuth after evaluating our use-cases against around 10+ other providers (including Auth0, which was our original first choice when doing the evaluations - what didn't work for us is they had a limit on IdPs you can provision; we are a SaSS product that have orgs that want to do multiple SAML SSO integrations, so we can't have such limits).

This isn't the only hack we've had to do with Cognito.

The FusionAuth APIs have covered all our needs without all the hacks that Cognito has required.

theogravity avatar Jun 15 '22 17:06 theogravity

We are facing a similar issue with Amplify-iOS. Not being able to select a specific google account has caused a really bad user experience that we now are considering moving to other providers.

As @theogravity stated above, this isn't the only hack we had to do with Cognito as well.

andrew-haus avatar Jun 15 '22 17:06 andrew-haus

Thanks @theogravity. I'll definitely be checking out FusionAuth.

S-Cardenas avatar Jun 15 '22 18:06 S-Cardenas

Has there really been no word on this? It's becoming a dealbreaker for us as well.

ebk46 avatar Aug 31 '22 15:08 ebk46

Hi @ebk46 - unfortunately, there is still a limitation on this from the Amazon Cognito service. We have communicated this limitation to their team, and we will update this issue when a solution is in place.

abdallahshaban557 avatar Sep 01 '22 07:09 abdallahshaban557

Any updates? I am still facing the same problem, too

ArtemiiMarchuk avatar Nov 20 '22 22:11 ArtemiiMarchuk

Same problem still exists in 2022!

Abdelalim-dev avatar Nov 30 '22 14:11 Abdelalim-dev

We just transitioned to FusionAuth after a few months of work. I can say there has been no hacks required compared to the multitude of hacks Cognito needed to get basic functionality to work.

It was surprisingly a smooth process, and will never recommend anyone use Cognito. They don't care about it's users at all.

theogravity avatar Nov 30 '22 18:11 theogravity

I don't know about FusionAuth but Google Identity Platform from Google Cloud works exactly like Cognito but it does not have those limitations (they even have the same interesting free-tier)

I might migrate to it at some point.

anisg avatar Jan 08 '23 13:01 anisg

A basic feature still is not supported in 2023. If we use AWS Cognito to implement login with Google, it leads to a bad UX because users can not select which Google account to login.

If someone are still looking for a solution for it, it highly recommend using service from GCP instead of AWS Cognito.

ArduinoGetStarted avatar Jan 26 '23 02:01 ArduinoGetStarted

@ArduinoGetStarted what is the name of the service from GCP that is equivalent to Cognito?

S-Cardenas avatar Jan 28 '23 06:01 S-Cardenas

The way around this is to use Google as an OpenID authentication provider for your user pool in Cognito.

I have just written a solution for this problem on stack over flow

Here is the link https://stackoverflow.com/a/75291833/13889098

untilhamza avatar Jan 30 '23 14:01 untilhamza

Still no fix? Any update or workaround?

ambrosdavid avatar Feb 22 '23 19:02 ambrosdavid

I face an issue still in March 2023.

Krak86 avatar Mar 24 '23 16:03 Krak86

Yeah, stop using Cognito. Stop.

theogravity avatar Mar 24 '23 17:03 theogravity

Hey! Any updates from the Cognito team? Migrating to another auth provider is not a nice option for a project based on AWS. Please let us know...

pablovargasosorio avatar Apr 05 '23 14:04 pablovargasosorio

Check out this answer on stack overflow https://stackoverflow.com/a/75291833/13889098

untilhamza avatar Apr 06 '23 01:04 untilhamza

Hey, is anyone able to solve this for react native?

parasfusemachine avatar Apr 11 '23 03:04 parasfusemachine

Hey @jordanranz did you evaluate the effort of adding the prompt parameter as @S-Cardenas explained? I mean, it would just to build the Google oauth target URL with the additional parameter: https://accounts.google.com/o/oauth2/v2/auth?client_id=[...]&prompt=select_account It does not seem a big deal at all ;)

pablovargasosorio avatar Apr 11 '23 09:04 pablovargasosorio

Well... I guess that URL ☝️ is actually built from Cognito internally, and that's why we're waiting for them to implement the feature, right?

pablovargasosorio avatar Apr 11 '23 11:04 pablovargasosorio