AWS Cognito:处理从不同身份提供商(Google、Facebook)登录的同一用户(使用相同电子邮件地址)的最佳实践 [英] AWS Cognito: Best practice to handle same user (with same email address) signing in from different identity providers (Google, Facebook)
问题描述
当用户通过 Google 和 Facebook 身份提供商使用相同的电子邮件地址登录时,AWS Cognito 在用户池中创建多个条目,每个身份提供商使用一个条目:
When signing in a user with the same email address through the Google and Facebook identity providers, AWS Cognito creates multiple entries in the user pool, one entry per identity provider used:
我使用本教程中提供的示例代码来设置 AWS Cognito:使用 Amplify 框架进行用户身份验证的完整指南
I have used the example code provided in this tutorial to set up AWS Cognito: The Complete Guide to User Authentication with the Amplify Framework
- 如何只创建一个用户而不是多个用户?
- 是否可以让 AWS Cognito 自动组合(联合)条目从多个提供商转换为一个条目,还是应该使用 AWS Lambda 函数来实现这一点?
推荐答案
是的.您可以使用 AdminLinkProviderForUser
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html
想法是:
- 在 PreSignUp lambda 钩子中,如果用户已经注册,我们将提供者链接到用户.例如:
import CognitoIdentityServiceProvider from 'aws-sdk/clients/cognitoidentityserviceprovider'
const cognitoIdp = new CognitoIdentityServiceProvider()
const getUserByEmail = async (userPoolId, email) => {
const params = {
UserPoolId: userPoolId,
Filter: `email = "${email}"`
}
return cognitoIdp.listUsers(params).promise()
}
const linkProviderToUser = async (username, userPoolId, providerName, providerUserId) => {
const params = {
DestinationUser: {
ProviderAttributeValue: username,
ProviderName: 'Cognito'
},
SourceUser: {
ProviderAttributeName: 'Cognito_Subject',
ProviderAttributeValue: providerUserId,
ProviderName: providerName
},
UserPoolId: userPoolId
}
const result = await (new Promise((resolve, reject) => {
cognitoIdp.adminLinkProviderForUser(params, (err, data) => {
if (err) {
reject(err)
return
}
resolve(data)
})
}))
return result
}
exports.handler = async (event, context, callback) => {
if (event.triggerSource === 'PreSignUp_ExternalProvider') {
const userRs = await getUserByEmail(event.userPoolId, event.request.userAttributes.email)
if (userRs && userRs.Users.length > 0) {
const [ providerName, providerUserId ] = event.userName.split('_') // event userName example: "Facebook_12324325436"
await linkProviderToUser(userRs.Users[0].Username, event.userPoolId, providerName, providerUserId)
} else {
console.log('user not found, skip.')
}
}
return callback(null, event)
}
- 然后,当用户将 OAuth 与 Facebook/Google 与用户池一起使用时,池将返回此用户链接.
注意:您可能会在用户池 UI 中看到 2 条记录,但是在访问用户记录详细信息时,它们已合并.
Note: You may see 2 records in User Pool UI, but when access User record detail, They already merged.
这篇关于AWS Cognito:处理从不同身份提供商(Google、Facebook)登录的同一用户(使用相同电子邮件地址)的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!