I have a particular auth flow that requires us to verify a user's email domain before allowing them to login, but we also want them to be able to log in with any method they want
The login flow looks like this:
cognito:sign_up
and a cognito:forgot_password
Any ideas on how to solve this, either with the login flow or the google auth flow? My only idea here is attempting a link in the pre-sign-up trigger for the google account by looking up the existing user with the first name and last name. This may work most of the time, but in case anyone types their name incorrectly or doesn't have their name on their google account, we may not be able to link the acccounts correctly.
Failure in linking the account isn't the end of the world for access, but it causes some other data issues for us down the line that I'm not going to get into here.
I ultimately reached out to AWS support with this same question and they confirmed that it is not possible due to the fact that Google initiates the link between it and Cognito and therefore does not allow you to pass any data into that pre sign up trigger. I understand this is likely by design to not allow any additional data passed in with the google token to not allow anyone to manipulate the sign up process. Fully understandable from Google's perspective.
In terms of what to do, it's a pretty niche use case to require linking two accounts with different emails. Moving forward I will add the user's business email to the newly created social account as an attribute from the session once they are logged in. I will end up with duplicates of some users in Cognito but I will have to live with that. The social login account will be the one with access when the user logs in again. I could even run a lookup on users' attributes to find if someone has a separate account when logging in.