search

amazon-archives / amazon-cognito-auth-js

The Amazon Cognito Auth SDK for JavaScript simplifies adding sign-up, sign-in with user profile functionality to web apps.
Apache License 2.0
423 stars 232 forks source link

Error while signin user-pool using Facebook and Google social account #159

Closed engharb closed 5 years ago

engharb commented 6 years ago

Hello all, @yuntuowang

I have created new User-pool and enabled FB and Google provider to be able to login. I can signin by calling https:///login?response_type=code&client_id=&redirect_uri=https://www.example.com

For second time when I try again to signin using the same FB account I used to get

#error_description=Invalid+user+attributes%3A+email%3A+Attribute+cannot+be+updated.%0A+&error=invalid_request

I mapped the email in mapping attributes, and I set the email as required and then as non-required I have the same issue. It is annoying and I could not solve that.

Any one can help me what should I do?

I think this is related to https://github.com/aws/amazon-cognito-auth-js/issues/48

thanks

engharb commented 6 years ago

Also time to time I used to get: error_description=Client+is+not+enabled+for+OAuth2.0+flows+&error=invalid_request ??

AdrienFery commented 5 years ago

Same issue for me...

engharb commented 5 years ago

@AdrienFery Regarding 

nvalid+user+attributes%3A+email%3A+Attribute+cannot+be+updated

You have to remove Email attr. from the required attributes in your User-Pool and set it as mutable=true (I used to do that in Terraform or AWS CLI).

And considering 

error_description=Client+is+not+enabled+for+OAuth2.0+flows+&error=invalid_request

I configured that in terraform as:

resource "aws_cognito_user_pool_client" "myapp" {
...
allowed_oauth_flows_user_pool_client = true
...
}
ryang-bgl commented 5 years ago

@engharb Hi could we re-open this as this seems to be a common issue. And the solution "recreating the pool" isn't ideal. The root of the issue is that once you create the pool with "email" as required, cognito will mark it as mandatory, and also immutable. So the second time you login with SAML or social login, it will fail because cognito will try to update all the mapped attribute, but email isn't mutable. What's worse is that you cannot change the mutability of "email" unless recreate the pool.

Please advise if there is a better option other than recreating the pool. This isn't an option if you have a production pool which already has a lot of users.

ryang-bgl commented 5 years ago

@engharb Also it will be helpful if cognito team could advise whether fixing this is on their roadmap or not.