Hi there,
I want my users to be able to link IDP accounts to their local cognito account, be able to sign up with IDP accounts and so on. (Identity provider accounts)
My dilemma is that an account that gets created MUST be linked to an existing account, because it must have two custom attributes to work properly.
custom:organizationId
custom:permissionLevel
Here is why this is challenging, and all my attempts have failed.
We cannot pass any parameters into the pre-sign up lambda trigger. If I could, I would pass the local accounts email, and get its user sub, along with organizationId and permissionLevel, so I can MOST IMPORTANTLY LINK the account to the local account, THEN update its custom attributes of organizationId and permissionLevel.
The issue arrises when the user uses a different email than the local account to log in or register with.
I'll give an example: The users local email address is haibert@inva.dev. When the user wants to lets say connect their google account, and chooses a different email lets say haibertdev@gmail.com. I cannot match this email to an existing user to make sure I join it to the correct organization and link it to the local account.
Once the user is created and authenticated, I cannot even link the accounts.
After countless work around attempts my final one and closest one was this.
During sign up, check if the email exists in the DB. if it doesnt, create the account but do an if check in the pre token generation trigger to make sure the user has a organizationId and accessLevel, if they dont send an email with a link and a token to that email that they can click on to enter an EXISTING users email address. We send a code to the existing email address and if they return that code back to us successfully we link the accounts..
This is so complicated and cumbersome, but its the only solution I came up with and I havent even tested it yet.
Is there a better way to get this accomplished? Im always in a catch 22 situation because of the not being able to pass any custom parameters to the lambda triggers, and not being able to link accounts once they've signed in.
AWS 공식업데이트됨 2년 전
