Closed mtourj closed 1 year ago
Hi @mtourj thank you for opening this issue. From the flow you have, it sounds like you have provide to option to link the user instead of auto linking with a pre-sign up lambda trigger for example. Additionally, it also sounds like you explicitly delete the copy of user that was create through social sign in, once the two users are linked. In my experience, explicitly deleting shouldn't be necessary, and have a sample function defined here that auto links users using the pre-sign up trigger.
Could you take a look and let me know if you have similar logic for when you are linking users? I'd like to reproduce your scenario but hoping to get as much info as possible.
Hello @nadetastic, yes the flow you describe is correct.
As far as the sample function you provided, the difference is that after finding the existing user with matching email, we set an attribute on the on the newly created user called "custom:linkable_sub" to the sub of the existing user, and this happens in the post-confirmation trigger.
Then if the user chooses to link accounts, the client makes a call to our backend application which deletes the "newly created" user then links the idP with the existing account via AdminLinkProviderForUser; in that order.
I did originally try to just run AdminLinkProviderForUser without deleting the "newly created" user, but the existence of that Cognito user seems to override the link created and the "identities" attribute on the native user, and as a result it does not log you into the intended account.
@mtourj I'm wondering if maybe the order is what is causing this issue - specifically, instead of deleting the "newly created" user then, linking the idP with the existing account via AdminLinkProviderForUser, you do the opposite instead - where you first link the idP with the existing account then delete the new user after linking.
Hi @mtourj following up here, were you able to get some head way with this is?
@mtourj closing out this issue for now as there hasn't been a response in a while. If you still have questions, let me know.
Before opening, please confirm:
JavaScript Framework
React Native
Amplify APIs
Authentication
Amplify Categories
auth
Environment information
Describe the bug
Hello. I am running into a rather specific issue when trying to implement the following workflow:
This works well. However, if I sign out and try to sign in again using my idP account, I get a
invalid_grant
after being redirected to my app with thecode
andstate
in the URL.If I wait an hour, I am able to log in using my idP account just fine. This is, of course, not acceptable as we'd be banking on the user not trying to log in again using their idP within an hour of linking it to an existing account.
It seems that a token is being mismanaged in some way after a Cognito user is deleted, and so if within an hour I try to log in again with the same idP account after it has been linked to an existing user, it fails.
Another way of doing this would have been via the PreSignup trigger. This way, the linking step would occur before a user had to be created then deleted, and no invalid tokens would be lingering anywhere. However since there is no way for me to pass any variables to PreSignup (#5522), there is no way for me to branch PreSignup's behavior in a way that allows me to give users the choice to link accounts or create new ones using their idP.
I have found two instances of the same issue in this repository:
6041
6172
Similarly to the author of #6041, I too am using Expo, and my application is deployed to iOS, Android and the Web. My return URLs setup is similar. This might be relevant as return URLs seemed affect the behavior for him, although I have not tested this.
Expected behavior
When an idP-linked user is deleted from Cognito, it should not interfere with the future ability to create/link another user using the same external idP account, even if it is within an hour.
Reproduction steps
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response