How to integrate Cognito User Pools with Cognito Federated Identity Pools

Question

Here’s our scenario for implementing user accounts in our app

1. User is automatically given an anonymous, guest account
2. User saves profile data into their guest account
3. In order to access their guest account from another device, the user must sign up and convert their guest account to a registered-user account
4. User signs in from another device, gains access to their registered-user account, and has access to their previously saved profile data

We don’t force users to complete steps #3 and #4. As long as they don’t need to switch devices, or factory reset their device, they won't lose access to their guest account.

Using Amazon Mobile SDK 2.3.x and Cognito Federated Identity Pools, we implemented the above steps as such:

1. Create an unauthenticated identity using Cognito Federated Identity Pools
2. Use Cognito Data Sync to save profile data
3. Use Facebook as a login provider to link Facebook login to the unauthenticated identity, thus converting it to a registered identity
4. Sign in using Facebook from another device, which switches to the registered identity from the previous device. User has access to the previous profile data saved in Cognito Data Sync

To implement these steps, we used sample code generated by AWS Mobile Hub, before the introduction of Cognito User Pools. It used a combination of AWSIdentityManager and AWSFacebookSignInProvider, and their supporting code. Everything worked as expected.

We are now trying to convert to the latest Amazon Mobile SDK 2.4.9 and use Cognito User Pools instead of Facebook login, to implement the same flow:

1. Same as above
2. Same as above
3. User signs up using Cognito User Pool to create a User Pool identity. Signs in with username/password.
4. User signs in using username/password on another device to switch to the registered User Pool identity. User should now have access to profile data saved in Cognito Data Sync.

Steps #1 & #2 are implemented using AWSIdentityManager from the AWSMobileHubHelper.framework; steps #3 & #4 are implemented with sample code from CognitoYourUserPoolsSample sample project.

The problems we’re having are:

1. In step #3, signing up creates a Cognito User Pool identity in the User Pool console. But signing in with that registered user does not link the login from the User Pool identity to the Identity Pool identity.
   • In the previous implementation, the identity provider “graph.facebook.com” was listed as a linked login in the Identity Pool console. There should be something similar for the identity provider “cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789”, as described in Integrating User Pools with Amazon Cognito Identity.
2. In step #4, after signing in using username/password of the registered User Pool identity, the Identity Pool identity never switches to the registered one on the previous device. (Probably due to issues from above). Thus, the previously saved profile data is not accessible.
   • In the Facebook implementation, the previous sample code did this for us, and notified the app as described in Switching Identities. In the User Pool implementation, the notification never comes.

---

There is a very important step that I’m missing here. I suspect that I’m not explicitly linking the Cognito User Pool login to the Cognito Identity Pool identity. In their CognitoYourUserPoolsSample, they don’t give an example of how to integrate User Pool identities with Federated Identity Pool.

The documentation says to simply do this and it’s automatic, but I couldn’t get that to work:

    AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
    AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
                                                          initWithRegionType:AWSRegionUSEast1
                                                          identityPoolId:@“<identity-pool-id>"
                                                          identityProviderManager:pool];

    AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider];
    AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;

Anyone have any ideas or sample code that demonstrates the process? The closest sample code I could find was this fork of CognitoSyncDemo, and it still wasn’t quite what I needed.

Answer 1

The merging of identities is supported by the credentials provider but is not supported by the AWSIdentityManager (a part of the mobile-hub-helper). I have a modified version of the mobile-hub-helper (it is a fork off of the mobile-hub-helper github at https://github.com/BruceBuckland/aws-mobilehub-helper-ios). That fork modifies AWSIdentityManager to support several things: 1) It supports writing new AWSSignInProviders (a mobile-hub-helper protocol) and using them to resume sessions. 2) It supports "Allow Merged Identities" and the merging of identities. 3) It has a couple of helper methods to find which provider is doing the authenticating currently and the friendly name of a provider which is useful for showing the user what is linked, and showing which provider denied a login for example.

There is also a sample app that includes an implementation in swift of an AWSSignInProvider for Cognito User Pools. It demonstrates signin signout and account linking for the three providers (UserPools FaceBook and Google). It implements several capabilities of userpools including signup, signin, forgot password, update attributes, and the confirmation of those. It is at https://github.com/BruceBuckland/SignIn-awsmhh.

Finally I recommend that you take a look at the pdf of notes in the example app. They may help you understand the interactions of the components better. It took me a long time to understand cognito and I pulled my notes together to try to clarify the system for others. They are here: Cognito Notes and Diagram