Amplify push to add Social Providers to Auth results in error: Updated are not allowed for property - UsernameConfiguration

[Phobarp]

Before opening, please confirm:

• [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• [X] I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v16.16.0

Amplify CLI Version

9.2.0

What operating system are you using?

Windows

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Amplify Categories

auth

Amplify Commands

push, update

Describe the bug

I am attempting to add Google and Facebook as social providers to an existing userpool using AWS Amplify. After using amplify update auth, applying default configuration with social provider, and inputting the specific App ID's I am getting the following error when I use amplify push:

Following resources failed

Resource Name: us-east-2_QVfqV5sLt (AWS::Cognito::UserPool)
Event Type: update
Reason: Updates are not allowed for property - UsernameConfiguration. (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidParameterException; Request ID: null; Proxy: null)

Expected behavior

I expected changes to push without any issues

Reproduction steps

After adding auth to amplify without social providers and pushing the changes:

1. I typed in amplify update auth
2. I then received the message which I said Y to:

   A migration is needed to support latest updates on auth resources
   Recommended to try in a non-production environment first. Run "amplify env add" to create or clone an environment.
   Custom CloudFormation changes will NOT be preserved. Custom changes can be made with "amplify auth override" after migration.
   Learn more about this migration: https://docs.amplify.aws/cli/migration/override
   Do you want to migrate auth resource "..."? (Y/n) · yes

3. I then inputted the following information along with the App ID information for both Google and Facebook:

   Using service: Cognito, provided by: awscloudformation
   What do you want to do? Apply default configuration with Social Provider (Federation)
   What domain name prefix do you want to use? ...
   Enter your redirect signin URI: http://localhost:3000/
   ? Do you want to add another redirect signin URI: No
   Enter your redirect signout URI: http://localhost:3000/
   ? Do you want to add another redirect signout URI:  No
   Select the identity providers you want to configure for your user pool: Facebook, Google

4. After pushing these changes with amplify push, I received the error

GraphQL schema(s)

```graphql # Put schemas below this line ```

Project Identifier

1c94f676c0a86ca6076c9de8ec67190e

Log output

``` # Put your logs below this line ```

Additional information

No response

[josefaidt]

Hey @Phobarp :wave: thanks for raising this! From your project I see this usernameAttributes value that stands out to me

"usernameAttributes": [
    "email, phone_number"
],

From git, are you able to see what this value was set to previously?

[Phobarp]

Hey @josefaidt! usernameAttributes was previously also set to email and phone_number

[josefaidt]

Hey @Phobarp thanks for clarifying, were they previously shown as separate attributes?

"usernameAttributes": [
    "email" , "phone_number"
],

[Phobarp]

They were previously set as one attribute as well, this remains unchanged:

"usernameAttributes": [
    "email, phone_number"
],

[josefaidt]

Hmm, would you mind posting the diff of this file before/after migrating?

[Phobarp]

Yes of course, and just to be clear, we are talking about the .../amplify/backend/auth/resourceName/parameters.json before and .../amplify/backend/auth/resourceName/build/parameters.json after correct?

[josefaidt]

before migrating it will be parameters.json and after it will be cli-inputs.json

[Phobarp]

Here are the files (Took out the name attributes): parameters.json before:

{
  ...,
  "allowUnauthenticatedIdentities": false,
  "autoVerifiedAttributes": ["email"],
  "mfaConfiguration": "OFF",
  "mfaTypes": ["SMS Text Message"],
  "smsAuthenticationMessage": "Your authentication code is {####}",
  "smsVerificationMessage": "Your verification code is {####}",
  "emailVerificationSubject": "Your verification code",
  "emailVerificationMessage": "Your verification code is {####}",
  "defaultPasswordPolicy": false,
  "passwordPolicyMinLength": 8,
  "passwordPolicyCharacters": [],
  "requiredAttributes": [],
  "userpoolClientGenerateSecret": false,
  "userpoolClientRefreshTokenValidity": 30,
  "userpoolClientWriteAttributes": ["email"],
  "userpoolClientReadAttributes": ["email"],
  "userpoolClientSetAttributes": false,
  "sharedId": "7a629ee5",
  "authSelections": "identityPoolAndUserPool",
  "authRoleArn": {
    "Fn::GetAtt": ["AuthRole", "Arn"]
  },
  "unauthRoleArn": {
    "Fn::GetAtt": ["UnauthRole", "Arn"]
  },
  "useDefault": "default",
  "usernameAttributes": ["email, phone_number"],
  "triggers": "{}",
  "userPoolGroupList": [],
  "serviceName": "Cognito",
  "usernameCaseSensitive": false,
  "parentStack": {
    "Ref": "AWS::StackId"
  },
  "breakCircularDependency": true,
  "permissions": [],
  "dependsOn": []
}

cli-inputs.json after:

{
  "version": "1",
  "cognitoConfig": {
    "allowUnauthenticatedIdentities": false,
    "autoVerifiedAttributes": [
      "email"
    ],
    "mfaConfiguration": "OFF",
    "mfaTypes": [
      "SMS Text Message"
    ],
    "smsAuthenticationMessage": "Your authentication code is {####}",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "Your verification code",
    "emailVerificationMessage": "Your verification code is {####}",
    "defaultPasswordPolicy": false,
    "passwordPolicyMinLength": 8,
    "passwordPolicyCharacters": [],
    "requiredAttributes": [],
    "aliasAttributes": [],
    "userpoolClientGenerateSecret": false,
    "userpoolClientRefreshTokenValidity": 30,
    "userpoolClientWriteAttributes": [
      "email"
    ],
    "userpoolClientReadAttributes": [
      "email"
    ],
    "userpoolClientSetAttributes": false,
    "authSelections": "identityPoolAndUserPool",
    "serviceName": "Cognito",
    "useDefault": "defaultSocial",
    "sharedId": "7a629ee5",
    "userPoolGroupList": [],
    "usernameAttributes": [
      "email, phone_number"
    ],
    "usernameCaseSensitive": false,
    "triggers": {},
    "authRoleArn": {
      "Fn::GetAtt": [
        "AuthRole",
        "Arn"
      ]
    },
    "unauthRoleArn": {
      "Fn::GetAtt": [
        "UnauthRole",
        "Arn"
      ]
    },
    "breakCircularDependency": true,
    "useEnabledMfas": false,
    "dependsOn": [],
    "hostedUI": true,
    "authProvidersUserPool": [
      "Facebook",
      "Google"
    ],
    "hostedUIProviderMeta": "[{\"ProviderName\":\"Facebook\",\"authorize_scopes\":\"public_profile\",\"AttributeMapping\":{\"username\":\"id\"}},{\"ProviderName\":\"Google\",\"authorize_scopes\":\"openid profile\",\"AttributeMapping\":{\"username\":\"sub\"}}]",
    "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[\"http://localhost:3000/\"],\"LogoutURLs\":[\"http://localhost:3000/\"]}",
    "authProviders": [],
    "parentStack": {
      "Ref": "AWS::StackId"
    },
    "permissions": []
  }
}

[akshbhu]

Hi @Phobarp

Can you check the userNameConfiguration attribute value in your cognito console ?

If the value if enabled on that , You can try removing the usernameCaseSensitive flag from cli-inputs.json and try amplify push again ?

Let me know if that works for you ?

[Phobarp]

Hey @akshbhu, thank you so much for the suggestion! After removing the usernameCaseSensitive flag from the cli-inputs.json, I used amplify push successfully! However, why was I getting this error in the first place, as all I did was add Google and Facebook as social providers?

[akshbhu]

Hi @Phobarp

Nice to know it worked for you. Have you checked the userNameConfiguration in your Cognito Console ?

I believe your UserNameConfiguration on cloud might be set to true and userNamecaseSensitive flag is set to false which was causing the problem

The part I am not sure is how it went to false in the parameters.json and cli-inputs after migration ?

[Phobarp]

Hey @akshbhu Are you referring to this checkbox in the attributes section of general settings, this checkbox was unchecked before and after the push?

[josefaidt]

Hey @Phobarp apologies for the delay here, are you still experiencing this issue?

From where the thread left off it appears you were able to push successfully after removing userNamecaseSensitive from your auth resource's cli-inputs.json, however what remains unresolved is how this was being detected as a change to the configuration where you're seeing case sensitive. If you run a "drift detection" on your application's stack in the AWS CloudFormation console, do you see any results for the Cognito resource that stand out?

[Phobarp]

Hey @josefaidt, I was able to push successfully after removing userNamecaseSensitive from my auth resource's cli-inputs.json. I will close this issue now.