AWS-Amplify : Making Google account selector screen mandatory

[mdsadique2]

So I have implemented Google authentication by using AWS Amplify (federatedSignIn) in my React app. Apparently, I want to make the google account selector screen mandatory for the user to select an account to log in. Apparently, it works only when multiple google accounts are available to choose from, but if there is only one account, the system automatically uses it to login?

How can I enforce the selection screen with only one account?

[jordanranz]

Hey @mdsadique2,

Can you provide a bit more information about which framework (if any) and platform you are using for this?

[mdsadique2]

Hey @mdsadique2,

Can you provide a bit more information about which framework (if any) and platform you are using for this?

Sorry for not providing enough details, It is a React App which use AWS Amplify federatedSignIn feature to use google authentication

[jordanranz]

@mdsadique2 thanks for the additional detail. I marked this as a feature request to evaluate with the team.

[haverchuck]

@mdsadique2 Are you doing federation with the Cognito User Pool or the Cognito Identity Pool? If you are using the identity pool you can use the google api ('gapi'), which should allow you to force the select_account screen. I am not positive how the would be accomplished with Hosted UI.

Update: This is actually not possible using the Cognito Hosted UI, but I have logged a ticket with the service team for their backlog. If you are doing federation with the identity pool, then it should possible by following the instructions in the docs linked to above.

[leosoaivan]

Semi-related, but is there a specific way to sign out a user authenticated via a social IdP, such that the next time they attempt to sign-in with that IdP, they aren't automatically signed in?

It seems my app maintains some sort of authenticated state, even when local storage appears to be cleared on sign out. When I sign back in, I can't even trigger a pre- or post-authentication trigger.

Possible related to https://github.com/aws-amplify/amplify-js/issues/3933

[saadtazi]

semi-related: for those like me who spent a lot of time figuring how to force account selection: I am using withGoogle amplify-react component (so it think it is not using federatedSignin: it opens in a popup...), and I am able to overwrite the prompt param using the following:

const options = new gapi.auth2.SigninOptionsBuilder();
options.setPrompt('select_account');

Note that gapi is loaded by amplify automatically in my case (by withGoogle maybe?)

[beshur]

@saadtazi, could you please clarify where exactly did you get withGoogle component? From the @aws-amplify/ui-react ?

[theogravity]

The hack that @saadtazi posted about won't work if you use Cognito user pools because it bypasses the user pool and instead calls federation against the identity pool. You'll only have the Google JWT, and not the Cognito user pool JWTs.

Here's the hack in question, and it's actually on amazon's docs under Identity Pool Federation.

https://docs.amplify.aws/lib/auth/advanced/q/platform/js/#google-sign-in-react

The code in question is

        const credentials = await Auth.federatedSignIn(
            'google',
            { token: id_token, expires_at },
            user
        );

The Auth.federatedSignIn() call has different signatures. When you call it like this, it will do federated sign in against the identity pool and not the user pool (as in calling it like Auth.federatedSignIn({ provider: 'Google' })).

My research has come up with nothing in terms of how to exchange the Google JWT directly for a Cognito User Pool JWT.

You can further find the same question here:

https://repost.aws/questions/QUVmaFYTE9Ty2Qlm2XTZ_csw/aws-cognito-how-to-force-select-account-when-signing-in-with-google

[bunditta-p]

I still got the same issue here which cannot select the account once signed in. Any update? Also found some related issue closed but don't have the way to resolve yet https://github.com/aws-amplify/amplify-js/issues/4720

[S-Cardenas]

I can't believe it's been three years and nobody on the Cognito/Amplify team has addressed this 👎.

Please, guys. All we need is the ability to set prompt=select_account when we use Auth.federatedSignIn({ provider: 'Google' }). As a whole I really like Cognito for auth, but if this isn't resolved I'll be forced to move to a different provider which allows me to use this such as Auth0. This is really detrimental to the experience of our users.

[theogravity]

We're moving to FusionAuth after evaluating our use-cases against around 10+ other providers (including Auth0, which was our original first choice when doing the evaluations - what didn't work for us is they had a limit on IdPs you can provision; we are a SaSS product that have orgs that want to do multiple SAML SSO integrations, so we can't have such limits).

This isn't the only hack we've had to do with Cognito.

The FusionAuth APIs have covered all our needs without all the hacks that Cognito has required.

[andrew-haus]

We are facing a similar issue with Amplify-iOS. Not being able to select a specific google account has caused a really bad user experience that we now are considering moving to other providers.

As @theogravity stated above, this isn't the only hack we had to do with Cognito as well.

[S-Cardenas]

Thanks @theogravity. I'll definitely be checking out FusionAuth.

[ebk46]

Has there really been no word on this? It's becoming a dealbreaker for us as well.

[abdallahshaban557]

Hi @ebk46 - unfortunately, there is still a limitation on this from the Amazon Cognito service. We have communicated this limitation to their team, and we will update this issue when a solution is in place.

[ArtemiiMarchuk]

Any updates? I am still facing the same problem, too

[Abdelalim-dev]

Same problem still exists in 2022!

[theogravity]

We just transitioned to FusionAuth after a few months of work. I can say there has been no hacks required compared to the multitude of hacks Cognito needed to get basic functionality to work.

It was surprisingly a smooth process, and will never recommend anyone use Cognito. They don't care about it's users at all.

[anisg]

I don't know about FusionAuth but Google Identity Platform from Google Cloud works exactly like Cognito but it does not have those limitations (they even have the same interesting free-tier)

I might migrate to it at some point.

[ArduinoGetStarted]

A basic feature still is not supported in 2023. If we use AWS Cognito to implement login with Google, it leads to a bad UX because users can not select which Google account to login.

If someone are still looking for a solution for it, it highly recommend using service from GCP instead of AWS Cognito.

[S-Cardenas]

@ArduinoGetStarted what is the name of the service from GCP that is equivalent to Cognito?

[untilhamza]

The way around this is to use Google as an OpenID authentication provider for your user pool in Cognito.

I have just written a solution for this problem on stack over flow

Here is the link https://stackoverflow.com/a/75291833/13889098

[ambrosdavid]

Still no fix? Any update or workaround?

[Krak86]

I face an issue still in March 2023.

[theogravity]

Yeah, stop using Cognito. Stop.

[pablovargasosorio]

Hey! Any updates from the Cognito team? Migrating to another auth provider is not a nice option for a project based on AWS. Please let us know...

[untilhamza]

Check out this answer on stack overflow https://stackoverflow.com/a/75291833/13889098

[parasfusemachine]

Hey, is anyone able to solve this for react native?

[pablovargasosorio]

Hey @jordanranz did you evaluate the effort of adding the prompt parameter as @S-Cardenas explained? I mean, it would just to build the Google oauth target URL with the additional parameter: https://accounts.google.com/o/oauth2/v2/auth?client_id=[...]&prompt=select_account It does not seem a big deal at all ;)

[pablovargasosorio]

Well... I guess that URL ☝️ is actually built from Cognito internally, and that's why we're waiting for them to implement the feature, right?