Reputation: 1489
AWS Cognito & Lambda: add federated identity to user pool
I know my question is similar to this one, but I feel it isn't asked very well, so I will ask it my way.
I have a have a properly functioning AWS Cognito userpool for a web application. I also have a fully functional Identity Pool for the same application. The identity pool is used to authorise users who have authenticated with LinkedIn. I have created a LinkedIn app and all is good there.
Now, I know that AWS Cognito does not support LinkedIn, but I have found a way around that by creating a custom authentication provider for the Identity Pool.
So, when a LinkledIn user signins in with LinkedIn, my app obtains the users linkedIn ID, email address, name and location. The ID and email address are posted via the AWS API Gateway to my Lambda function.
Using Boto3 function get_open_id_token_for_developer_identity() the Lambda function then passes the LinkedIn Email to Cognito Identity Pool, which then returns an object, containing IdentityID and Token.
All of the above works fine.
However, the problem I have with User Pool v Identity Pool is that it is possible to have two separate identities with the same email address - one in Identity Pool and one in User Pool.
How does one go about amalgamating these users? One is in UserPool and one is a developer identity in a custom identity pool.
Upvotes: 1
Views: 1551
Answers (1)
Reputation: 1846
When using a Cognito Identity Pool with federated identities and a Cognito User Pool, there is no way to amalgamate the users from external services with those in your user pool, as you have realized. This was a major frustration, but late in 2017 Amazon added the ability to hook federation directly to Cognito User Pools:
Essentially you can connect an external social service with your Cognito User Pool by configuring it in the "Federation > Identity Providers" section when viewing your user pool in the AWS web console. You authorize the scopes you need and link them to user pool attributes. Then when someone logs in with a federated identity (e.g., from Facebook), a Cognito user is created in your user pool with the corresponding values and a marker that indicates that it is a federated user. (As an aside: these values are conveniently passed in the authorizer claims when using the Cognito User Pool as security for an API Gateway endpoint, for easy access in Lambda handlers.)
LinkedIn, as you probably guessed, is not one of the social networks supported out of the box. From the documentation, it appears that you might be able to implement your LinkedIn integration as a SAML 2.0 identity provider to connect it with your Cognito User Pool for this functionality.
With this approach, depending on your use case, there might be no need for the Cognito Identity Pool at all.
Upvotes: 3
Related Questions
- AWS Cognito User Pool Custom Authentication Lambdas Not Triggering
- How to add a user to a Cognito User Pool Group from AWS Lambda?
- Cognito authorization with two user pool
- How to add a user in Cognito User Pool group?
- Cognito IdentityId in Lambda Function through API Gateway
- Authentication and user creation on lambda serverless
- Amazon Cognito - OAuth login for federated identity
- How to authenticate against an AWS Cognito User Pool in Python?
- Get Cognito user pool identity in Lambda function
- How can I assign AWS Cognito User Pools unauthenticated roles?