Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
5.3k views
in Technique[技术] by (71.8m points)

amazon web services - Internal Server Error when logging in with Cognito federated linked account if federated account is separate in the userpool

Goal:

I am trying to automatically link federated user accounts (Google) to a Cognito account with matching email addresses in the PreSignUp_ExternalProvider Cognito trigger.

Approach:

  • I followed most of the logic in this thread to response to the PreSignUp_ExternalProvider trigger, using client.admin_link_provider_for_user to link identities.
  • I am using an implicit grant flow and sending federated login users to: https://${userpoolData.AppWebDomain}/oauth2/authorize?response_type=token&client_id=${userpoolData.ClientId}&identity_provider=Google.

Expected Behavior:

I expect the outcome below (which includes known bugs/problems):

  • I use client.admin_link_provider_for_user to link the two accounts together
  • I end up with two user accounts: the original Cognito account and a new Google_<someId> in my user pool. My original Cognito account has attached Google identity info now, and my new federated account will redirect to my original
  • The auth flow will fail during the first sign-in with the username already found, but I can catch this and restart the auth flow.
  • A restarted auth flow should log me in successfully with an #access_token as the destination Cognito account

Problem:

No matter how many times I try to log in with the federated account after the first expected error, I get the following response when it calls back to my server: ${myServer}/idp#error_description=Internal+server+error.+&error=server_error.

Something that works, but is it supposed to be this way?

I can raise an exception in my Lambda trigger immediately after creating the link between the two accounts, which will successfully add identity info to my original user but interrupt the rest of the flow and not create the second Google_<someId> Cognito account.

client.admin_link_provider_for_user(
    ... my args
)
raise Exception("Preventing creation of duplicate account " + event['userName'])

Once I catch this exception and restart the auth flow, I am able to log in perfectly via federated auth as my original user.

This does not feel like a sustainable or intended pattern. How can I log in successfully without resorting to interrupting Cognito's intended behavior?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
等待大神解答

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...