Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS federate user delete and link with Cognito native user will lead invalid_grant error in next login for certain period of time.

0

I'm working on sample single sign-On with AWS Cognito & just want to link federate user if my application pool already having Cognito native account with same email. I want this to be doing in .Net API end using AWS .Net SDK.

Steps: Delete federate user (if user exists with same email) using AdminDeleteUserAsync. Link federate user with existing native Cognito user using AdminLinkProviderForUserAsync.

Everything working fine and I can see account get link when I check user in AWS console. Under identities I can see all relevant federate account info. Also federate account entry getting deleted.

Here I'm using "Authorization Code grant" as OAuth grant type

When I try to re-log using federate credentials (Ex: Google) I'm getting Auth code successfully but when I try to exchange into auth token it gives me "invalid_grant" error. This happen certain time period approximately 15 minutes to 20 minutes and auto fixed. It's seems like caching issue but this doesn't happen once we delete federate user directly from AWS console.

This doesn't happen if I doing this in Pre-Sign lambda, but I need this to be doing with API level. It will be great if I could get any solution for this.

I tried following before delete but non of them work.

RevokeTokenAsync AdminDisableUserAsync AdminUserGlobalSignOutAsync

  • gramwilliams
    5 months ago

    If you delete a federated user in AWS and then link the same identity (e.g., email) to a Cognito native user, you'll get an invalid_grant error on next login for a short period. This happens because Cognito caches identity mappings, causing conflicts until the cache expires (usually within a few hours).

Topics
.NET on AWSSecurity, Identity, & Compliance
Tags
Amazon Cognito Federated IdentitiesAmazon CognitoAmazon Cognito User Pools.NET on AWS
Language
English
asked 7 months ago135 views
1 Answer
0

The issue you're experiencing is likely related to token caching and propagation delays in AWS Cognito after performing user management operations. When you delete a federated user and then link them to an existing native Cognito user, there's a period where the system needs to fully propagate these changes across its infrastructure.

The "invalid_grant" error you're encountering during the token exchange process is probably due to this propagation delay. Cognito may still be processing the changes or clearing cached information related to the deleted federated user account.

The fact that this issue resolves itself after 15-20 minutes supports the theory that it's related to caching or propagation delays. The difference in behavior when deleting the federated user directly from the AWS console versus through the API could be due to different internal processes or priority levels for these operations.

Unfortunately, the methods you've tried (RevokeTokenAsync, AdminDisableUserAsync, and AdminUserGlobalSignOutAsync) don't seem to immediately resolve the issue. These operations are designed to invalidate tokens or disable user access, but they may not immediately clear all cached data across Cognito's distributed system.

To mitigate this issue, you could consider the following approaches:

  1. Implement a retry mechanism in your application that attempts to exchange the authorization code for tokens multiple times over a period, with appropriate backoff intervals.

  2. If possible, consider using the Pre-Sign Lambda function for this operation, as you mentioned it doesn't cause the same issue.

  3. Introduce a delay in your application flow after deleting and linking the user before attempting to log in again. This delay could allow time for the changes to propagate.

  4. Instead of deleting the federated user, you could try updating the user's attributes to link them to the native Cognito user. This might avoid the caching issues associated with deletion.

  5. Reach out to AWS support for further investigation, as this behavior might be specific to your Cognito configuration or could be an edge case in Cognito's behavior that needs addressing.

Remember, when working with distributed systems like Cognito, it's important to design your application to handle temporary inconsistencies and propagation delays. Implementing appropriate error handling and retry logic can help manage these scenarios.
Sources
AdminUserGlobalSignOut - Amazon Cognito User Pools
GlobalSignOut - Amazon Cognito User Pools

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content