authentication aws-lambda oauth-2.0 amazon-cognito amazon-cognito-triggers

Trying to link an existing Cognito user with a newly created Federated user with different emails

I have a particular auth flow that requires us to verify a user's email domain before allowing them to login, but we also want them to be able to log in with any method they want

The login flow looks like this:

User registers on a login page with their business email (domain that needs to be verified), first name, and last name
We look up their email domain in a database to check that the domain should be granted access
Once we have verified the domain and they have registered, we send them an email with a link to login
- in the backend we are running a cognito:sign_up and a cognito:forgot_password
- running forgot password allows us to require a confirmation code, and we create a link that includes the confirmation code in the query string
When they click the link to log in, they are directed to a page where they can set their password, or they can login with social login (let's say google). The next time they log in, they use google.
- In theory, it would be amazing to run a simple account link at this point to link the accounts so that their business email is associated with their google account. However, it seems that I have two issues blocking me from doing this:
  - I cannot pass any information to the pre-sign-up trigger for logging in with google, which means I can't pass the existing Cognito User ID or the business email of the existing user.
  - I cannot link accounts after the federated user has already signed in.

Any ideas on how to solve this, either with the login flow or the google auth flow? My only idea here is attempting a link in the pre-sign-up trigger for the google account by looking up the existing user with the first name and last name. This may work most of the time, but in case anyone types their name incorrectly or doesn't have their name on their google account, we may not be able to link the acccounts correctly.

Failure in linking the account isn't the end of the world for access, but it causes some other data issues for us down the line that I'm not going to get into here.

Solution

I ultimately reached out to AWS support with this same question and they confirmed that it is not possible due to the fact that Google initiates the link between it and Cognito and therefore does not allow you to pass any data into that pre sign up trigger. I understand this is likely by design to not allow any additional data passed in with the google token to not allow anyone to manipulate the sign up process. Fully understandable from Google's perspective.

In terms of what to do, it's a pretty niche use case to require linking two accounts with different emails. Moving forward I will add the user's business email to the newly created social account as an attribute from the session once they are logged in. I will end up with duplicates of some users in Cognito but I will have to live with that. The social login account will be the one with access when the user logs in again. I could even run a lookup on users' attributes to find if someone has a separate account when logging in.