AWS Cognito identityId changing for anonymous/guest users

Question

I was happily using Cognito Sync with my pre-release app (iOS/Objective-C), with Facebook login. However, upon submitting for Apple App Store review, I was asked to remove Facebook login. I thought it would be straightforward - just changed the unauth role policies to match the auth user and bypassed anything to do with Facebook authentication.

However, now I am finding that identityId is changing between sessions. It is behaving like a session ID. This is a major headache because my app uses identityId as the hash key in DynamoDB. So, for example, a DynamoDB search for recent activities by current user shows only the current session's history, not ALL history as intended.

I was using the sample app's code to obtain identityId - it seems to be getting assigned correctly. Based on the sample's AWSIdentityManager.m, following is part of the AppDelegate.m inside didFinishLaunchingWithOptions:

AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AMAZON_COGNITO_REGION
                                                                                                identityPoolId:AMAZON_COGNITO_IDENTITY_POOL_ID];
AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AMAZON_COGNITO_REGION
                                                                     credentialsProvider:credentialsProvider];
AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;

[[credentialsProvider getIdentityId] continueWithBlock:^id(AWSTask *task) {
    if (task.error) {
        NSLog(@"Error: Could not obtain identity id: %@", task.error);
    }
    else {
        // the task result will contain the identity id
        NSString *cognitoId = task.result;
        NSLog(@"Got the identity ID as %@", cognitoId);
        // Don't change the ID
        NSString *oldId = [[NSUserDefaults standardUserDefaults] objectForKey:NSUD_COGNITO_ID];
        if (!oldId) {
            [[NSUserDefaults standardUserDefaults] setObject:cognitoId forKey:NSUD_COGNITO_ID];
            [[NSUserDefaults standardUserDefaults] synchronize];
        } else {
            NSLog(@"Old = %@, New = %@, Keeping old", oldId, cognitoId);
        }
    }
    return nil;
}];

I keep getting the message that old and new identities are not the same. Also, when I check in Cognito Sync, the old identities can no longer be found.

Now that there is no Facebook SignIn provider in use, how do I ensure that the identityId does not change across sessions etc? Can someone shed a light on why this is changing? I have confirmed that I am not clearing the keychain anywhere in the code.

Answer 1

For anyone else that may run into this situation:

The test phones (both iOS and Android) were using Facebook logins, when I changed the strategy to use unauth. It is important to remember (and not very well documented, in my opinion) that going from unauth to auth logins is a one-way street - you cannot go from authenticated user to unauth without resetting the IDs. So the issue I ran into seems to be unique to my situation (of attempting to go from auth to unauth).

Answer 2

When using AWSCognitoCredentialsProvider the identityid is cached locally and will be retrieved on instantiation of the provider for re-use.

Possible solutions: (1) To get the identity id use "credentialsProvider.identityId" rather than "getIdentityId" (2) Make sure you are not calling clearCredentials or clearKeyChain when closing the application

Comments: Using unauth is fine, however if the user deletes their application or logs in from a different device there is no way to get the same identity again (as they are unauthenticated). If you need users to be able to access the same data across device/app installs you will need some sort of authentication