Reputation: 16419
How to disable AWS Cognito User Pool account created via Identity Provider?
Any Cognito User Pool gurus out there? I've been using Cognito for a while now but this one has me a bit stumped.
We allow users to sign up and sign in using social accounts like Facebook which are set up as Identity Providers in the User Pool.
Users need to complete a custom registration form before they can use the main app - we don't use the hosted UI for login or signup
One step of the custom registration process allows the user to indicate which social provider then want to use
This allows us to pull back the users email, first and last names from the social provider which is great - we use a cognito client and callback to do this currently
But in doing so, this provisions a user within the Userpool before the registration process is complete - in fact this makes sense- in order for Cognito to provide us the user info it needs to have called into the social providers /userinfo endpoint to populate the user data
So, the issue we now have is that whilst the user is half way through the registration process I have a confirmed user account - eg. before the user has completed the registration process
This is an issue because a user could sign into the the app using their social login without ever have completed the registration process
So as I see it I have two options:
- PostConfirmation Lambda trigger which uses the cognito-idp SDK to disable the user just after it was confirmed
- Don't use Cognito to obtain the user info like firstname, lastname, email, picture etc - however this would require us to write a solution for every current and future social provider which isn't something I'm keen on
Am I missing something obvious?
Thanks in advance!
Upvotes: 1
Views: 3600
Answers (2)
Reputation: 16419
The simplest solution in the end for us was a Pre Token Generation Trigger in Cognito like this:
exports.handler = async (event) => {
if(event.triggerSource==="TokenGeneration_HostedAuth") {
//check db/api etc to see if we have a valid registration stored for user
if(!hasCompletedRegistration) {
//throw auth exception which we can catch on the frontend to inform user
throw new Error("REGISTRATION_NOT_COMPLETE")
}
}
return event
};
For username/password sign ins the TriggerSource will be TokenGeneration_Authentication
For federated/social sign ins the TriggerSource will be TokenGeneration_HostedAuth
Upvotes: 2
Reputation: 609
I would say PostConfirmation Lambda trigger is a good approach - however instead use adminDisableProviderForUser to disable the user from signing in with the specified external (SAML or social) identity provider
You can later call adminLinkProviderForUser to link the existing user account in the user pool to the external identity provider.
An alternative solution is to prevent the user from signing in if they have not fully completed the registration process via a Pre Authentication Lambda Trigger checking for a unique identifier with respect to your completed registration process
Upvotes: 1
Related Questions
- AWS Cognito-remove signup in login page
- AWS Cognito User Pool disable login button
- Is it possible to disable a congnito user pool?
- Disable cognito user through Lambda
- Disable a user from cognito
- How to disable Cognito user signups via CloudFormation?
- Delete the user pool added by AWS Amplify
- Change cognito user pool user status
- Using Cognito User Pools, without Cognito Federated Identities(identity pools)
- Stop Unauthenticated Cognito Identity User Pool Signup