AWS Cognito Switch User to Federated Account

2020-06-20 19:15发布

I want to allow users to sign up using either a user-pool identity (email + password) or a Facebook-federated identity.

But I also want them to be able to switch later on: either add Facebook federation if they didn't sign up using Facebook initially, or remove the Facebook link from their account if they initially signed up using Facebook.

Is this possible?

Thanks in advance!

1条回答
走好不送
2楼-- · 2020-06-20 19:51

Yes, it is. I'm assuming that Facebook is added directly to the Userpool as an IdP.

Splitting your query into 2 parts:

1. User signs up using username & password. Later, he wants to link his Facebook account
This is pretty easy. Give an option in your UI and use the AdminLinkProviderForUser API to link Facebook/Google account to the user. Now, when the user signs in using this Facebook/Google account next time, Cognito will treat it as the native user & generate token for the same. Of course, the Facebook info will be mentioned in the identities claim. If the user wants to remove this Facebook/Google link later, it is possible using the AdminDisableProviderForUser API call.

2. User signs up using Facebook
This is a bit tricky since Facebook login will automatically create a user in your Userpool with status EXTERNAL_PROVIDER (unlike native users who have CONFIRMED status). As the name suggests, this user can only be logged in using the relevant external provider - Facebook in this case. If the user wants to login using a username password, a new account will have to be created using SignUp API or AdminCreateUser API. Also, this account can not be linked to the previous Facebook account using AdminLinkProviderForUser because a pre-requisite is that no Facebook user with the same details (email etc.) should exist in the Userpool. But at this moment, we have an auto-created Facebook user with EXTERNAL_PROVIDER status.

So, in short, you would have to - create a new user using SignUp or AdminCreateUser API, delete the auto-created Facebook user & Finally link the Facebook account as mentioned in case 1.

查看更多
登录 后发表回答