TechQA.

How to disable AWS Cognito User Pool account created via Identity Provider?

2.7k views Asked by At

Any Cognito User Pool gurus out there? I've been using Cognito for a while now but this one has me a bit stumped.

  • We allow users to sign up and sign in using social accounts like Facebook which are set up as Identity Providers in the User Pool.

  • Users need to complete a custom registration form before they can use the main app - we don't use the hosted UI for login or signup

  • One step of the custom registration process allows the user to indicate which social provider then want to use

  • This allows us to pull back the users email, first and last names from the social provider which is great - we use a cognito client and callback to do this currently

  • But in doing so, this provisions a user within the Userpool before the registration process is complete - in fact this makes sense- in order for Cognito to provide us the user info it needs to have called into the social providers /userinfo endpoint to populate the user data

  • So, the issue we now have is that whilst the user is half way through the registration process I have a confirmed user account - eg. before the user has completed the registration process

  • This is an issue because a user could sign into the the app using their social login without ever have completed the registration process

So as I see it I have two options:

  • PostConfirmation Lambda trigger which uses the cognito-idp SDK to disable the user just after it was confirmed
  • Don't use Cognito to obtain the user info like firstname, lastname, email, picture etc - however this would require us to write a solution for every current and future social provider which isn't something I'm keen on

Am I missing something obvious?

Thanks in advance!

amazon-cognito amazon-cognito-facebook amazon-cognito-triggers
Original Q&A
2

There are 2 answers

1
BigJump On BEST ANSWER

The simplest solution in the end for us was a Pre Token Generation Trigger in Cognito like this:

exports.handler = async (event) => {

  if(event.triggerSource==="TokenGeneration_HostedAuth") {

     //check db/api etc to see if we have a valid registration stored for user
     if(!hasCompletedRegistration) {

       //throw auth exception which we can catch on the frontend to inform user
       throw new Error("REGISTRATION_NOT_COMPLETE")
     }
  }

  return event

};

For username/password sign ins the TriggerSource will be TokenGeneration_Authentication

For federated/social sign ins the TriggerSource will be TokenGeneration_HostedAuth

1
Leon Africa On

I would say PostConfirmation Lambda trigger is a good approach - however instead use adminDisableProviderForUser to disable the user from signing in with the specified external (SAML or social) identity provider

adminDisableProviderForUser

You can later call adminLinkProviderForUser to link the existing user account in the user pool to the external identity provider.

adminLinkProviderForUser

An alternative solution is to prevent the user from signing in if they have not fully completed the registration process via a Pre Authentication Lambda Trigger checking for a unique identifier with respect to your completed registration process

Related Questions in AMAZON-COGNITO

Related Questions in AMAZON-COGNITO-FACEBOOK

Related Questions in AMAZON-COGNITO-TRIGGERS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions