使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Error Invalid ProviderName/Username combination after AdminLinkProviderForUser using Azure OIDC

0

I have federated (OIDC) access enabled on my user pool the provider is Azure AD OIDC. My app requires users first to sign up using an email and password. Then, after their first login, I give them the option to enable: "Sign In with Microsoft." I created an Idp called "microsoft". When the user clicks "Sign In with Microsoft," (after initial login with email/password) I noticed Cognito tries to create a new Cognito user account with the same email, and to prevent the new account creation, my pre-sign up lambda triggers uses AdminLinkProviderForUserCommand to link the provider to the existing user like using the following params:

DestinationUser: {
    ProviderAttributeValue: '939c5abf-b932-4357-830f-4cb738a6a6e5', //existing cognito username
    ProviderName: 'Cognito'
  },
  SourceUser: {
    ProviderAttributeName: 'Cognito_Subject',
    ProviderAttributeValue: '8uugg06w2e8cbfbbzfdngsmenuzfyvyc_peznvmhzli', // cleaned up event.userName (origin event.userName: microsoft_8uugg06w2e8cbfbbzfdngsmenuzfyvyc_peznvmhzli)
    ProviderName: 'microsoft' //my Idp provider name
  }

The new identity gets added successfully with out any error to the existing cognito user.

[{"userId":"8uugg06w2e8cbfbbzfdngsmenuzfyvyc_peznvmhzli","providerName":"microsoft","providerType":"OIDC","issuer":null,"primary":false,"dateCreated":1709864300329}]

After liking the provider successfully, I get the error: Error Invalid ProviderName/Username combination. I don't understand Why? Help, please.

主題
無伺服器運算安全性、身分識別與合規
標籤
AWS LambdaAmazon Cognito
語言
English
David
已提問 2 個月前檢視次數 210 次
1 個回答
0
已接受的答案

I found the problem. After looking closely at the username (aka IdP sub) attribute, I noticed they were all lowercase letters. For some reason, Cognito is changing the sub sent by the IdP.

  • The sub return by Cognito mapped to username: microsoft_ggp_c-q7nrodmtft5r0gt79offfxwcjazbj37ncz0qa
  • After cleaning up, I was setting my SourceUser.ProviderAttributeValue to: ggp_c-q7nrodmtft5r0gt79offfxwcjazbj37ncz0qa
  • But the real 'sub' sent by the idp is: GGp_c-Q7nrOdmtFt5R0gt79OfFfXWcjaZBj37NcZ0qA (Notice the actual sub has uppercase, and lowercase letters) This results in error: Error Invalid ProviderName/Username

The fix is you have set your SourceUser.ProviderAttributeValue to original Idp sub.

  1. Go to Sign-up Experience
  2. Create a new custom attributes: 'custom:sub'
  3. Go to Sign-In Experience and click on your IdP provider, in my case I named it "Microsoft"
  4. Scroll down to the mapping section, and map 'custom:sub' to OIDC attribute sub
  5. Go to App Integration and click on your client app
  6. Scroll to Attribute read and write permissions, and make sure 'custom:sub' has read:write permissions (otherwise cognito won't return it)

Now update your AdminLinkProviderForUser function and set: SourceUser.ProviderAttributeValue to event.request.userAttributes['custom:sub']

I did an if statement because this is only needed for Azure AD OIDC, this code is not needed if you are using Azure SAML and other social provider

let SourceProviderUsername = event.userName.substring(event.userName.indexOf('_') + 1,);
const SournceProviderName = event.userName.substring(0,event.userName.indexOf('_'),);
//if idp provider is "Microsoft" I need to set the SourceProviderUsername to the real sub
if (SournceProviderName === 'microsoft')
SourceProviderUsername = event.request.userAttributes['custom:sub'];
// set the rest of the fields required to call AdminLinkProviderForUser

That was 3 days of battling this issue, I hope I can save you some time.

David
已回答 2 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容