User is not created in Cognito User pool for users logging in with Google federated login

[sivaprasad-kiranum]

Describe the bug I have integrated AWS Cognito into our iOS application. We are not using the hosted UI solution and have our own login screen for the application. The user object is not created even after calling federatedSignIn with the idtoken received from Google sign in

AWSMobileClient.default().federatedSignIn(providerName: IdentityProvider.google.rawValue, token: user.authentication.idToken!)

Also the call to get the tokens for the signed in user is also failing with the below error

The operation couldn’t be completed. (AWSMobileClient.AWSMobileClientError error 26.)

This error corresponds to user not signed in. This prevents us from calling the server side APIs to get the data for the application.

To Reproduce Steps to reproduce the behavior:

1. User clicks on the sign in with google button
2. Call GIDSignIn.sharedInstance()?.signIn() for google signing
3. On success, call AWSMobileClient.default().federatedSignIn(providerName: IdentityProvider.google.rawValue, token: user.authentication.idToken!)
4. The result of the above call provides the user state as signed in
5. The call to AWSMobileClient.default().getTokens returns the error The operation couldn’t be completed. (AWSMobileClient.AWSMobileClientError error 26.)

Which AWS service(s) are affected? AWS Cognito AWSMobileClient

Expected behavior The user object must be created in AWS Cognito. The call to getTokens must return the tokens for the signed in user.

Screenshots If applicable, add screenshots to help explain your problem.

Environment(please complete the following information):

• SDK Version: 2.11.1
• Dependency Manager: Cocoapods
• Swift Version : 5.0

Device Information (please complete the following information):

• Device: Simulator
• iOS Version: iOS 13

[sivaprasad-kiranum]

Can you please provide an update?

[royjit]

Hi @sivaprasad-kiranum Thank you for reaching out. To debug further could you please provide us with the following details:

1. Request ID to cognito
2. AWS Region
3. User pool id

You can enable logging to get request Id:

AWSDDLog.sharedInstance.logLevel = .verbose
AWSDDLog.add(AWSDDTTYLogger.sharedInstance)

[sivaprasad-kiranum]

I do not see any request that is getting fired after the call to federatedSignIn.

AWS Region: us-east-1 User pool id: us-east-1_kG4OKMVsu

[lawmicha]

I don't think a user is created when AWSMobileClient.federatedSignIn() is called. I will have to check with the team on this scenario, but I was reading here that it sounds like this is the scenario that is not supported https://github.com/aws-amplify/aws-sdk-ios/issues/993

If it is created in your userpool, you should be able see the user in the AWS Console/Cognito User Pool.

When you try to get tokens, it is checking the federation provider to be either user pools or hostedUI . https://github.com/aws-amplify/aws-sdk-ios/blob/59d905a66179f955deedc4473519689ba56fe2dd/AWSAuthSDK/Sources/AWSMobileClient/AWSMobileClientExtensions.swift#L670-L676

I believe the correct way to get credentials is to 1. call AWSMobileClient.federatedSignIn() and then use AWSMobileClient.sharedInstance() to get the credentials provider for constructing your calls like for APIGateway. reference: https://aws-amplify.github.io/docs/ios/api#iam-authorization and https://github.com/aws-amplify/aws-sdk-ios/issues/1276

[sivaprasad-kiranum]

@lawmicha Thanks for the reply. We are not currently using the AWS APIGateway for our services. We are using the AWS Cognito SDK to validate the access token as a middleware function in our API micro services. In that case, how we can authenticate the calls?

[kaushik-orangeapp]

any updates on this?

[sivaprasad-kiranum]

@kaushik-orangeapp Are you asking me?

[kaushik-orangeapp]

@sivaprasad-kiranum Yes, have you solve this issue? have you successfully get JWT Token after federated login?

[sivaprasad-kiranum]

@kaushik-orangeapp We moved forward with Firebase and dropped AWS Cognito for want of time.

[kaushik-orangeapp]

@sivaprasad-kiranum ok thanks for your replay, i am stuck over there for getting JWT Token after social login/signup.

[sivaprasad-kiranum]

@kaushik-orangeapp
May be you can try out AWS Amplify drop in UI or Hosted UI solution, if it suits your requirement and UI needs on the branding / theming etc.

On Tue, 10 Dec 2019 at 11:30 AM, kaushik-orangeapp notifications@github.com wrote:

@sivaprasad-kiranum https://github.com/sivaprasad-kiranum ok thanks for your replay, i am stuck over there for getting JWT Token after social login/signup.

[glennposadas]

I'm facing the very same issue. Facebook and Gmail. I think we're missing some steps. :/

[sivaprasad-kiranum]

@glennposadas Were you able to figure out any missing steps?

[suzannechang]

Also having this issue!

[royjit]

AWSMobileClient.federatedSignIn() does not creates a user in AWS Cognito Userpool, it is used to federate to an identity pool and get an identity id. If you want to create a user in UserPool while signIn through social provider, please use HostedUI.

[glennposadas]

I haven't solved this. But Jithin Roy just said what I've been thinking. BTW, HostedUI means we can't have our customized sign in screen, right?

On Wed, Jan 29, 2020 at 12:04 AM Jithin Roy notifications@github.com wrote:

AWSMobileClient.federatedSignIn() does not creates a user in AWS Cognito Userpool, it is used to federate to an identity pool and get an identity id. If you want to create a user in UserPool while signIn through social provider, please use HostedUI https://aws-amplify.github.io/docs/sdk/ios/authentication#using-hosted-ui-for-authentication .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aws-amplify/aws-sdk-ios/issues/1937?email_source=notifications&email_token=AC7MNF7VICNKRYPBHOG4ZTTRABJSVA5CNFSM4IZ27HN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKD4QBQ#issuecomment-579323910, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC7MNF6PULVD4V4W2VQE6L3RABJSVANCNFSM4IZ27HNQ .

-- Best Regards, Glenn Posadas

[royjit]

Hosted UI is basically webpages, but AWS Cognito supports a few customization options. Please check their developer guide - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-ui-customization.html

[sivaprasad-kiranum]

@royjit Why this feature is not available outside HostedUI and HostedUI in a mobile application will not look good.

[royjit]

Currently this feature is not supported outside HostedUI in AWS Cognito. I will take this as a service feature request to AWS Cognito team.

[ahmadfs]

How is it acceptable to force users towards hostedUI which doesn't look very professional at all in a native app. We are in the same position right now where we want to integrate social login with user pools but we are unable to do so even though you allow people to configure it through cognito console and cognito cli. What is the alternative and when can we know that developers can actually use native apps with cognito to provide social login.

The closest solution I have come across is still very hacky and something I am reluctant to implement: https://github.com/aws-amplify/aws-sdk-ios/issues/1177#issuecomment-472265432

[ghost]

@ahmadfs The current live SDK documentation provides a HostedUIOptions() object that allows for the bypassing of the literal hosted UI to go directly to any given external provider authentication flow:

https://aws-amplify.github.io/docs/sdk/ios/authentication#configuring-hosted-ui-to-launch-facebook-google-saml-sign-in-directly

[abenyahya]

Hi I'm trying to use HostedUI from AWS but got an error : Error getting token The operation couldn’t be completed. (AWSMobileClient.AWSMobileClientError error 26.), is there any guideline to resolve that ?

[abenyahya]

& When using direct Auth0 services, I'm able to get user connected, and also tokens from AWSMobileClient, but when I want to use APIs & AWS Services I got another error : Error:Optional(Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.})

[jacobsapps]

Hey, I'm trying to get Sign In With Apple to work in my app - obviously if I showed users a web UI to do that, it'd be pretty egregious. I'm able to create and sign a user in through the Apple services and sign in via federatedSignIn but as others have noticed nothing is created in a user pool.

[bitcot]

Is there any update on federated sign in creating user pool? Using federated sign in for social login is more native way of doing things, but the problem with the approach is it doesn't create anything on the user pool which cannot be ignored as it's an important piece. Let me know is there a way to create a user pool once user signs in using federated signin?

[wmaca]

Same problem here. In our case, we are using a webview that communicates with a native app.

We want to use the native Google Sign-in experience on Android. We are able to get the token from google, but we can't create a Cognito user with federatedSign().

Is there any way around this? We could use the token from Google to make Cognito create the user ourselves, but it doesn't seem to be the best approach.

[ShyamSampath]

Is there anyway we can get to know when this feature will be available.This issue is open for 2 years now and there were no update provided from AWS on this.We are loosing customers due to this feature not available with native google UI. We don't want to use social.singinwithwebui as it only works with chrome.

[andheroe]

We're currently evaluating whether to invest our engineering efforts into AWS Amplify. The ability to provide a native social Sign In flow is critical for us and it's currently a big red flag. Please provide us with an update on whether this feature is something we could expect in the near future and is there a workaround for us to use in the meantime.

[flodaniel]

@royjit any update/decision if this is going to be implemented?

[SoccerBoyMalloy]

Any update on this?

I just want users to sign in with Google and then have those users authenticate against my User Pool. Is this really still not a supported use case outside of the Hosted UI?

[atierian]

That's correct, this is still a service limitation with Cognito. We recommend using Amplify Auth; the relevant feature request is being tracked here: https://github.com/aws-amplify/amplify-swift/issues/1121

[anotheriosdev]

I'm encountering a similar issue while using JumpCloud. Everything functions correctly for the iOS app, but when attempting to log in with the macOS app, I encounter this error. User is not signed in to Cognito User Pool, please sign in to use this API.

[5d]

Hi @anotheriosdev, could you please create a new issue ticket and provide the versions of the libraries you're using? Additionally, it would be helpful if you could include a verbose log with your submission. This will assist us in better understanding and addressing your concern.