I have enabled federated login in my Cognito user pool and what I'm trying to achieve is linking federated identities to the existing user profile, if a user with the same email address already exists in my pool, to offer a consistent experience.
There are two approaches I've already tried, using a PreSignUp Lambda. For simplicity, I'll explain them using pseudocode:
if event['triggerSource'] == 'PreSignUp_ExternalProvider':
user = find_existing_users_by_email()
if user != null:
admin_link_provider_for_user()
return event
if event['triggerSource'] == 'PreSignUp_ExternalProvider':
user = find_existing_users_by_email()
if user != null:
admin_link_provider_for_user()
# notice I'm not returning anything here to the chain so the federated user doesn't get created in my pool
else:
return event
else:
return event
The first approach does the linking as I see the federated identity attached to the Cognito native user in the identities attribute. However, it also creates a new user with confirmation status as 'External provider', which I would expect to happen only for new users that don't have existing user profiles. The user is also automatically signed in as the external identity, which is not what I want at all.
Therefore, I thought I should not return the event to the pre sign up chain if I find an existing user profile, because I don't want the sign up chain to create a new profile. This is done in the second approach. But what happens now is that after the first sign up, the user is not automatically signed in, but redirected to the hosted UI's login page and he has to input his credentials once again. Good thing is, that with the second login, the user is signed in as the existing native user and no other external profiled get created during the process.
Is the PreSignUp logic from the first scenario working as expected? If so, what's the best practice to avoid making users signing in twice?
AWS OFFICIALUpdated 6 months ago
