search

aws-amplify / amplify-flutter

A declarative library with an easy-to-use interface for building Flutter applications on AWS.
https://docs.amplify.aws
Apache License 2.0
1.31k stars 243 forks source link

Feature Request: User initiated Verify Email For OAuth Providers after Sign Up: Setting email_verified: true #4531

Open dkliss opened 6 months ago

dkliss commented 6 months ago

Description

Hi,

If I Sign up with OAUTH2 for some IDPs providers, email_verified attribute is not shared with Cognito and hence Cognito will mark email_verified as false for those IDPs.

For example, if the email attribute received after Sign up using OAUTH IDp is test@gmail.com, user will successfully Sign up however email test@gmail.com will be marked as "not verified" in AWS Cognito.

Since, this email belongs to user and is in "user's" control, I wanted user to take an action to verify this email, if they like to use the same email later for Cognito (by running reset password). Without email_verified set as true, a user will receive below error when making an attempt to Sign in via Cognito.

Invalid Parameters: Cannot reset password for the user as there is no registered/verified email or phone_number

To verify OAUTH email, I attempted to use updateUserEmail() Amplify function to basically re-update the same not verified email i.e. test@gmail.com, which I received from OAUTH. After running this function, I did not received any exception BUT I also did not received an OTP code. If I run the same function updateUserEmail() from a different email (example newtest@gmail.com), which is not in Cognito, then, I received an OTP code (as expected) in that new email i.e. newtest@gmail.com.

Proposal: Considering the fact, that email_verified flag is not available from all OAUTH IDPs, it would have been useful if a user is able to verify email (if needed) post OAUTH sign up. This potentially can be done by adding extra scope to the same function i.e. updateUserEmail() to be able to send an OTP for an existing email in Congnito, if that email is marked as not verified. This will make account linking between OAUTH and AWS Cognito easier and offer more control to users to be able to decide on their preference on if they like to expand OAUTH email for Cognito or not. Auto-verifying emails of users signing in via OAUTH2 via lambda etc seems like not right approach as the email is owned by users and hence users should verify those. 

  Future<void> updateUserEmail({
    required String newEmail,
  }) async {
    try {
      final result = await Amplify.Auth.updateUserAttribute(
        userAttributeKey: AuthUserAttributeKey.email,
        value: newEmail,
      );
      _handleUpdateUserAttributeResult(result);
    } on AuthException catch (e) {
      safePrint('Error in setMfa: $e');
      throw MyException(e.message.toString());
    } catch (e) {
      safePrint('Error updating user attribute: $e');
      throw MyException(errorInCodeGeneration);
    }
  }

Categories

Steps to Reproduce

No response

Screenshots

No response

Platforms

Flutter Version

3.19.1

Amplify Flutter Version

1.6.1

Deployment Method

Amplify CLI

Schema

No response

Jordan-Nelson commented 6 months ago

Hello @dkliss - Thanks for taking the time to open the request.

Verifying a mapped email address is not supported by Cognito. From the Cognito docs:

By default, mapped email addresses are unverified. You can't verify a mapped email address using a one-time code. Instead, map an attribute from your IdP to get the verification status. For example, Google and most OIDC providers include the email_verified attribute.

We can mark this as a feature request to track interest, but this is something that would need to be supported in Cognito.

dkliss commented 6 months ago

Hello @dkliss - Thanks for taking the time to open the request.

Verifying a mapped email address is not supported by Cognito. From the Cognito docs:

By default, mapped email addresses are unverified. You can't verify a mapped email address using a one-time code. Instead, map an attribute from your IdP to get the verification status. For example, Google and most OIDC providers include the email_verified attribute.

We can mark this as a feature request to track interest, but this is something that would need to be supported in Cognito.

Thanks @Jordan-Nelson. Based on my testing,

And this is why an email_verification method independent of OAUTH attributes will be of good help. This way developers can simply disable email_verified attribute mapping in of OAUTH & Cognito (unless one is only using single OAUTH provider) and let users verify their email directly with Cognito (if a user choose to do so).

Having went all the way through implementing Lambda etc, the proposal of allowing users with an option to verify email AFTER sign in, independent of OAUTH providers is simple and can ease OAUTH and Cognito Account linking (exclude Apple because of relay email).

Is there any chance for this to be considered without tracking interest. It can simplify Account linking for OUTH and Cognito?

"For example, Google and most OIDC providers include the email_verified attribute."