Attribute required during google authentication

[railsstudent]

I have a Cognito user pool where email and phone number are required attributes. When using oauth code grant flow for google authentication, the oauth callback receives error message "attributes required: phone_number"

The gmail account has phone number and I also map google attribute phoneNumbers to Phone Number user pool attribute.

Please advise how to resolve the error. Thanks.

Connie

[ashwindevendran]

Hi,

In your user pool do you require PhoneNumber to be verified (this information will be helpful in debugging the issue).

-Ashwin

[railsstudent]

@ashwindevendran Yes, the phonenumber is a required attribute in user pool The user pool was created for authentication without federation in mind. Now, my company wants to use google login and prefer to reuse the existing user pool. However, the required attribute is making it impossible.

Thanks,

Connie

[jonasao]

A user's phone number is out of scope when authenticating using Google as federated identity. You will probably have to fetch this manually, and add it to the data returned when the user is authenticating.

[railsstudent]

How can I do it? The hosted UI does not have a place for user to input phone number. Then google authentication redirects to callback url with error query parameter Can I pass a dummy phone number to authorize endpoint?

[jonasao]

I am not sure, but maybe a pre-authentication Lambda will help you to set the user as verified without adding a valid phone number.

http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

[ashwindevendran]

Hi,

@jonasao is correct, it is not within scope for Google Sign-in (https://developers.google.com/identity/protocols/googlescopes#google_sign-in)

Assuming you would like to keep the existing user pool and not migrate to a new one that does not have phone-number as a required attribute: We will look into a long term solution for this, in the meantime you will have to obtain that information beforehand for the user (a trigger would be one such way).

[railsstudent]

@ashwindevendran Which trigger should i implement to pass the phone number?

I have a pre-signup trigger in cognito user pool that links google account to an existing user in user pool. The existing user already has phone number yet the same error message is shown.

The pre-signup trigger is never fired.

Please advise. Thanks

[yuntuowang]

Hi @railsstudent, I think you should implement Pre authentication trigger.

For more info, please see here: http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

[railsstudent]

@yuntuowang I implemented pre authentication trigger that only does a simple console.log. The trigger is not called and the same error message , attributes required: [phone_number], is returned.

[railsstudent]

@jonasao @yuntuowang Is there no workaround other than creating new user pool where phone number is not a required attribute?
If this is the case, I need to discuss with my supervisor. Thanks.

[yuntuowang]

@railsstudent You are correct. An attribute cannot be switched between required and not required after a user pool has been created. Details here: http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

[viirak]

Hi, have this issue been resolved. I am having exactly the same situation here.

[narindermalik2]

Getting the same issue. Has anyone found any solution?

[trongnsy]

I am having the exact same issue. Seems like there is no trigger to intercept and fill into the blanks Anyone came up with a solution?