Don't use email as username

[maletor]

Use a UUID as the username, then, setup email as an alias in Cognito.

Usernames cannot be changed. (Although, there is a preferred_username attribute.)

It makes more sense, if you are not going to use the username in your app, that you generate one randomly. So much is said in the Cognito documentation.

[fwang]

Hi @maletor, thanks for pointing it out.

We have considered using a random value for the username, and set email as an alias. Cognito User Pool is designed to allow multiple users to have the same email alias. The last user that confirms the email will take over the ownership of the email alias. Though this design decision does have its own advantages. For the context of this tutorial, we decided to use the email address as the username and not allow people to change it.

But you are right, if people want to have a username that can be changed, preferred_username should be used instead.

[maletor]

Fair enough. However, you can prevent people from using the same email address, even if the second confirms it, by not sending force: true.

Email is not a unique id and should not be considered as such. OpenID connect says as much.