Amplify Cognito Google invalid email address format

Question

I would like to identify users by email in a project using AWS Amplify + Google federation.

I was getting good results with usernames until I tried to switch to emails. The error shows up as error_description in the callback URL as follows

https://domain.tld/?error_description=Invalid+email+address+format.+&state=some-state&error=invalid_request

What should go in cli-inputs.json / Cognito configuration to support email based identification?

Answer 1

In my experience the "Invalid+email+address+format" response from Cognito could be a missing mapping from the identity provider's claims to user pool email field, but it could also be an errant mapping, e.g. mapping Google's email_verified to email, which sounds tempting, but email_verified is a boolean value, not an email address!

The attribute mappings are shown under the user pool's individual federated identity providers in Cognito.

Answer 2

I don't know about the Google federation, but I think you must be using 'email' from the start (amplify add auth). You can't switch to email after the fact, you'd need to make a new pool and migrate users into it.

I use 'email' for the username. Here's my cli-inputs.json, hope it helps.

{
  "version": "1",
  "cognitoConfig": {
    "identityPoolName": "xxxxxa96d_identitypool_0821234d",
    "allowUnauthenticatedIdentities": false,
    "resourceNameTruncated": "xxxxx0821234",
    "userPoolName": "xxxxxa96d_userpool_081234d",
    "autoVerifiedAttributes": [
      "email"
    ],
    "mfaConfiguration": "OFF",
    "mfaTypes": [
      "SMS Text Message"
    ],
    "smsAuthenticationMessage": "Your authentication code is {####}",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "Your verification code",
    "emailVerificationMessage": "Your verification code is {####}",
    "defaultPasswordPolicy": false,
    "passwordPolicyMinLength": 8,
    "passwordPolicyCharacters": [],
    "requiredAttributes": [
      "email"
    ],
    "aliasAttributes": [],
    "userpoolClientGenerateSecret": false,
    "userpoolClientRefreshTokenValidity": 30,
    "userpoolClientWriteAttributes": [
      "email"
    ],
    "userpoolClientReadAttributes": [
      "email"
    ],
    "userpoolClientLambdaRole": "xxxx_userpoolclient_lambda_role",
    "userpoolClientSetAttributes": false,
    "sharedId": "081234d",
    "resourceName": "xxxx0821234d",
    "authSelections": "identityPoolAndUserPool",
    "useDefault": "manual",
    "usernameAttributes": [
      "email"
    ],
    "userPoolGroupList": [],
    "serviceName": "Cognito",
    "usernameCaseSensitive": false,
    "useEnabledMfas": true,
    "authRoleArn": {
      "Fn::GetAtt": [
        "AuthRole",
        "Arn"
      ]
    },
    "unauthRoleArn": {
      "Fn::GetAtt": [
        "UnauthRole",
        "Arn"
      ]
    },
    "breakCircularDependency": true,
    "dependsOn": [],
    "thirdPartyAuth": false,
    "userPoolGroups": false,
    "adminQueries": false,
    "triggers": {},
    "hostedUI": false,
    "authProviders": [],
    "parentStack": {
      "Ref": "AWS::StackId"
    },
    "permissions": []
  }
}