FB, Google and Amazon users in user pool

[vishnushelar]

I am creating user registration module in which I am adding users into userpool.

Check my following scenario :

1. When I am signing up using abc@yopmail.com, this user is getting added into userpool.
2. When I am signing up using abc@yopmail.com with fb, this user is getting added into federal identity.

Can you provide me solution to keep uniqueness in userpool ?

[douglasgimli]

Same problem here.. Based in the issue #500 when the Facebook is added as a identity provider for the User Pool it should create the user automaticaly into the User Pool, but this isn't true, it only creates a federal identity but no user in the user pool is created. Almost a month trying to solve that with no luck..

[jonsmirl]

It made a Facebook user in the pool for me on Nov 30. I made one with Google, Facebook and user_pool. I should say that I was using the Oauth URL directly and not using the SDK.

Facebook_1613644848950245 | Enabled | EXTERNAL_PROVIDER | Dec 1, 2017 2:50:38 AM | Nov 30, 2017 9:47:14 PM
Google_100699090485695364248 | Enabled | EXTERNAL_PROVIDER | Dec 1, 2017 3:29:39 AM | Nov 30, 2017 9:39:56 PM
ff4c612e-3c2f-41b4-8c0e-21d0a70c8285 | Enabled | CONFIRMED | Dec 1, 2017 2:52:14 AM | Nov 30, 2017 1:28:41 AM

[mvpscottjon]

@jonsmirl
what do you mean Oauth URL?

does It mean customization UI from cognito pool?

Although I design iOS App, I stuck same problem in it.

I can get token from FB,Google, and in federate identity pool console, but I can't auto sign up when I log in from Fb or Google....

[joe455]

@jonsmirl
Can you please explain the process to add federated users into userpool?

[douglasgimli]

For everyone who is passing throw this problem, we opened a support ticket with AWS and after that we're able to create users into the user pool via social login, the steps provided by the support are:

• You have added Facebook as an auth provider in the Identity pool. After passing Facebook token in the login map you get an Identity Id but no users are created in Userpool.
  ==> This is expected. When auth providers are added to an Identity pool, they are not affected by changes in Identity pool. What I mean is that in context of an identity pool, a Userpool is just another identity provider like Facebook or Google. Now, when you use a Userpool token in the login map you do not expect a user to be created on Facebook or Google. Similarly, when you use a Facebook token, no user is created in Userpool.

• You have also tried configuration Facebook directly in the userpool. But even then no users were created for Facebook sign in.
  ==> Now, in this case, users can be created. But for this, you need to use the Cognito Authorization endpoint for login. The easiest way to do so would be to use our built-in UI for login:-
  -- Enable app integration and add Facebook as a provider directly in the Userpool[1]. Also, map the attributes[2] between Facebook & Userpool
  -- Enable Facebook in your client (App Integration->App Client settings)
  -- Use the Authorization endpoint for login. The easiest way is to use our UI[3]
  https://your_domain.auth.us-east-1.amazoncognito.com/login?redirect_uri=your_redirect_uri&response_type=token&client_id=xxxx
  Select Facebook on this UI and you will be redirected to Facebook for login. After successful authentication, a user will be automatically created in userpool.
  -- If you do not want to use the built-in UI, you can use the Authorization endpoint[4] to redirect to Facebook. In your UI, upon clicking Facebook button, redirect users to
  https://your_domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=your_redirect_uri&response_type=token&client_id=xxxx& identity_provider=Facebook
  This should also lead to user creation on Facebook login.

[jonsmirl]

I used this method, -- Use the Authorization endpoint for login., from the above post.

Note that there is also aws-amplify
https://github.com/aws/aws-amplify
This is a new AWS library and it does not work 100% correctly yet.

Many people are confused by the two pool types. The User Pool is an authentication pool. Users interact with this pool to prove who they are. For many years Cognito User pools were a stand-alone authentication scheme. Only recently has the UI been added to bounce over to Googe/FB and authenticate there.

You can also authenticate by directly interacting with G/FB, either directly via Oauth or by using their SDKs. aws-amplify uses the SDKs. Besides G/FB there are many other authentication providers -- Microsoft, Auth0, Github, Twitter, etc.

Once you have the ability to prove who you are (authentication) you use an Identity Pool to authorize your access into AWS and get credentials. Identity pools verify this proof of who you are and then map it into AWS credentials. Identity pools are not a database of users. It is possible to use AWS only via the Identity Pool if all of your users are authenticated externally by Google/FB/Auth0/Github/etc.

In summary - there is only one mass authorization scheme for AWS, the identity pool. There can be many authentication providers -- Google, FB, Github, User Pool, Auth0. As a convenience the new User Pool UI has added the Login In with FB/Google buttons. Those buttons still go off to G/FB to authenticate.

The use of User Pool is optional. You can use User Pool if you want to provide a way for people to log into your app other than via a Social provider. If are happy with only allowing Social logins you can ignore User Pools. For example in a log-in dialog where it says: enter user name and password, that's User Pool. The Social buttons go off to their respective Social providers. It is perfectly valid to only offer Social buttons. There is no requirement that you use User Pool for the name/password support. AWS supports Developer Authenticated Entities or you can use an external providers like Auth0.

PS - this terminology is very confusing. You might ask why am I using the authorization endpoint to authenticate? That authorization endpoint is authorizing you into Google/FB not AWS. You need to use it to get an authentication token from Google/FB and then hand it off to the Identity Pool to be authorized on AWS.

[joe455]

Now, I want to call getUserAttributes method on the redirected page(suppose localhost
:4200/myprofile). BUt to do that, getCurrentUser() is returning null.Any idea how can I implement this?

[jonalexander]

@joe455 was your user added to a User Pool or Identity Pool? can you post some code?

[joe455]

@jonalexander We should be using https://github.com/aws/amazon-cognito-auth-js to create a user into userpool.

[verbeeckjan]

I'm having the same problem as @joe455. A user is successfully created in my userPool but how do I get the actual attributes of the user that was created through FB? @itrestian can you help?

[sanjosedennis7593]

Any sample code that will register facebook/google account to userpool? I did a lot of research about this, still got no luck.

[douglasgimli]

@verbeeckjan you just need to map them, this is done into the 'Attribute Mapping', it's the last item in your userpool side menu.

@sanjosedennis7593 actually you don't need a code to create this, after the initial setup (FB app creation, add identity providers into your userpool - there's a menu into your userpool for that -, setup the app clients) you just need to redirect your users in the frontend to the URL:

https://your_domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=your_redirect_uri&response_type=token&client_id=xxxx& identity_provider=Facebook
This should also lead to user creation on Facebook login.

If everything works as expected the FB login screen will show up, the user will accept it and a token you be pass as a get parameter to your application.

[matyaspeto]

I configured everything exactly as @douglasgimli described, but on the login URL I keep getting invalid_request error, without any explanation.

[xvvvyz]

@matyaspeto I finally got things working after following the documentation for generating that url...

https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

[matyaspeto]

@cadejscroggins yeah, for me it just started to work, after I set this config to the App client:

I beleive the relevant part is Authorization code grant and Implicit grant

With Authorization code grant checked, I'm able to use response_type=code in the URL, with Implicit grant checked, response_type=token

[balakrishna222111]

@matyaspeto @douglasgimli

after sign in the user from facebook app i can able to redirecting to this page SUCCESSFULLY

but after when am clicking with continue with facebook # # throwing an error like this

[matyaspeto]

@balakrishna222111 do you have your FB app set up properly? Also while your app is not published, only you as it's developer has access to it, so if you try to use it in Chrome incognito mode, in an other tab you should log in to your FB account I guess.

[balakrishna222111]

@matyaspeto @cadejscroggins @jonsmirl
yes.., i a m working in incognito mode only and i'm opening the browser in another tab exactly
Still facing ABOVE ISSUE..!

[rohanseth497]

@douglasgimli After receiving the access_token,id_token what should I do ... should I pass this id_token to aws.config.credentials and how would I get a reference of this particular logged in user

[AashishKJha]

@Zorail @balakrishna222111
i am getting identity_id from
AWS.config.credentials.get((err) => {
if (err) {
alert("Error: " + err);
return;
}
alert("Cognito Identity Id: " + AWS.config.credentials.IdentityId);

    });

Now what should be next step to get current user and jwttoken??