I'd like to confirm if what I observed is correct with regards to Amazon Cognito User Pools and Amplify, specially with the bold text:
A user pool is a user directory in Amazon Cognito. With a user pool,
your users can sign in to your web or mobile app through Amazon
Cognito. Your users can also sign in through social identity providers
like Google, Facebook, Amazon, or Apple, and through SAML identity
providers. Whether your users sign in directly or through a third
party, all members of the user pool have a directory profile that you
can access through a Software Development Kit (SDK).
So far I have set-up in an amplify app:
Email/Password Sign-up/Sign-in (used amplify add auth with username as email)
Google and Facebook social federation (used amplify update auth)
What I Expect:
I'll be able to create a new account (CognitoUser) with email myemail#gmail.com using email/password sign-up. (myemail#gmail.com hasn't been registered yet or associated with any social federation sign-ins).
A new CognitoUser account will not be created if I Google Sign-in using the Google email myemail#gmail.com. Instead, I will be presented with the account/CognitoUser that I confirmed from #1 after Google sign-in.
Whether your users sign in directly or through a third party, all
members of the user pool have a directory profile that you can access
through a Software Development Kit (SDK).
What I Get/Observations:
I seem to get (2) unique Cognito Users each for the email/password sign-in and Google Sign-in methods. (Please see the attached CognitoUser Logs screenshots below)
My Questions:
If I first signed-up an email (myemail#gmail.com) using email/password, do I get (2) unique Cognito Users if I sign-in again using a Google (or Facebook account) that uses the same email myemail#gmail.com?
If (2) CognitoUsers are created for the same email,
How do I prevent a new CognitoUser creation for Google Sign-in when the email has already been registered using email/password and vice-versa?
Is it possible to reuse the CognitoUser from an email/password sign-in on a Google sign-in of the same email?
If [2.1] cannot be prevented, how can serverside data be best managed for the 2 CognitoUsers (that share the same email myemail#gmail.com)
TIA for your insights and advice!
CognitoUser Logs
CognitoUser from email/password sign-in (myemail#gmail.com):
CognitoUser from Google Sign-in (Auth.federatedSignIn({provider: 'Google'})). Google email is myemail#gmail.com:
Related
i am using firebase for user authentication for my project
i added two sign in method : email/password and google sign in.
But i dont want to allow user to login with same email using email and google signin provider.
I know i can disable this option from firebase project settings. But i am not able to find this option
Lately I started looking into PoC with Auth0 for our use case where we want to allow users to login with Google and Facebook, also want Guest user to login and access our API and once guest user choose to login with Google and Facebook then we can link guest user so that their data will be served once logout.
Here's the things which I am to able to do till now with PoC:
Able to Login with Google and Facebook through client App.
Access authenticated API after getting bearer token from client App.
Things which still need to do, I tried to search but couldn't found good resource:
I want user to login as Guest user and latter if they want they can login with Google/FB and link their account.
Also, I am looking into Rest login API in Auth0 so that we can hit login API after getting access token from Google/FB and register user into Auth0 and get the token for API access.
It would be great if anyone help me on above two points. Thanks!
I'm working currently on the implementation of social login using react-native and aws cognito. For now, it's working well (with or without amplify), but the issue is that I have to open a webview using the cognito hosted UI, which redirect directly to Google / Facebook / Apple. So basically, when the user click on the google signin button, there is a messagethis kind of message "myapp wants to open amazoncognito to connect...". As a user experience, it is quite mediocre, so I am wondering if it is possible to implement a different signin flow so not to redirect to an external url.
I have tried the implemntation with react-native-google-signin, but in that case, I have to use aws federated identities instead of my user pool (typically, the gogole signin retrieve an id token that can be pass to cognito federated identities). So I do not really like that solution...
I don't know exactly the process of signing up with a social login provider but if someone has ever met the issue and found a user friendly way to implement it, I am obviously interested in the solution ! (One option would be to figure out how to use the IdToken generated by Google to sign the user in my Cognito user pool, the other would be to directly use an iframe to open facebook, google, apple, so at least the message would not appear).
Thank you for you help !
I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".
When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").
Is this normal behaviour?
Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for #gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.
If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).
Also see:
Github issue Facebook provider overwritten by Google provider
Mailing list Firebase Social Authentication Issue with fb and gmail flow
Authentication using Facebook at first and then Google causes an error in Firebase for Android
This is how I'm solving it:
https://firebase.google.com/docs/auth/android/account-linking
Just link the "accounts".
Update 2023:
You can now choose if you want to allow 'User account linking'. For example, if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address ex#gmail.com if there already is an account that signs in using the email address ex#gmail.com and a password.
If you do allow multiple accounts with the same email address, your app's sign-in flow cannot rely on an email address to identify a user account.
You can find this under settings within Firebase Authentication.
There are some caveats to using this feature, please read about it here
Is there a setting, either in Google projects or in Firebase databases for specifying that unauth should not cache user credentials? One I have logged into my app via the Firebase Google authentication, calling unauth() does not permit me to log in again with a different account. An attempt to login after that immediately logs in with the old credentials without asking for a new username and password. Closing and reopening the browser after the logout didn't help.
Firebase doesn't have access to your credentials when you use its Google authentication. Instead it uses OAuth to create a relationship between the Google account and your application.
When you call unauth Firebase expires the token that is part of the current session. But it does not remove the relationship between the Google account and your application. That's why you "automatically" get a new token when you call auth... next time.
It is up to each individual user to revoke the rights, which in the case of a Google account they can do at the Account Permissions page: https://security.google.com/settings/security/permissions