AWS Cognito-使用Google登录时如何强制选择帐户 [英] AWS Cognito - How to force select account when signing in with Google

问题描述

我目前正在使用与Google作为身份提供者联合的Cognito用户池来处理我的Web应用程序的用户登录.目前，我仅通过Google实施了登录.目前，这是通过Cognito的托管用户界面完成的.

I'm currently using Cognito User Pools, federated with Google as an identity provider, to handle user sign in for my web app. At the moment, I have only implemented Sign-In with Google. This is currently being done through Cognito's Hosted UI.

当用户使用Google登录时，我希望始终提示他们选择他们的帐户，即向他们显示此提示.

When users sign in with Google, I'd like them to always be prompted to select their account, i.e. be presented with this prompt.

但是，我发现当我仅使用一个Google帐户登录时，将跳过此屏幕.虽然，当我没有登录任何Google帐户/2个或更多Google帐户时，都会显示此屏幕.

However, I have found that when I'm logged in with only one Google account, then this screen is skipped. Although, when I'm logged into no Google account / 2 or more Google accounts, this screen is shown.

我一直试图使此屏幕显示的内容:

Things I've tried to make this screen always show up:

1. 使用AWS Amplify的federatedSignIn({provider: 'Google'})函数.但是，我发现这只是Cognito托管UI的包装，并且重定向到相同的授权端点，如 Google的文档中所述，将prompt=select_account添加到授​​权端点.但是，这没有效果.这并不奇怪，因为prompt选项在 AWS中没有详细说明授权端点的文档.

1. Using AWS Amplify's federatedSignIn({provider: 'Google'}) function. However, I found that this is just a wrapper on Cognito's Hosted UI and just redirects to the same authorization endpoint, as described here.
2. Adding prompt=select_account to the authorization endpoint as detailed in Google's documentation, however this had no effect. This was unsurprising as the prompt option is not detailed in the AWS documentation for the authorization endpoint.

如果有人对如何始终显示此帐户选择屏幕有任何想法，将不胜感激.

If anyone has any ideas on how I can always have this account selection screen shown, it would be very much appreciated.

推荐答案

目前(2020年1月)证明(请参阅下面的建议解决方案，该解决方案仍然有问题)AWS Cognito不支持prompt=select_account (或Google提供的任何prompt选项).在他们的支持下来回走了，这是他们当前的行动计划的最终结果:

Turns out that at this moment (January 2020) (edit: see below for their proposed solution which is still problematic) AWS Cognito does not support the prompt=select_account (or any of the prompt options Google provides). Went back and forth with their support, and here is the final resulting message with their current plan of action:

(缓解问题)Auth.signOut()仅从Cognito退出，而不是从联合提供程序(在您的情况下为Google)退出.因此，当您尝试再次登录时(对于客户而言，使用Auth.federatedSignIn({ .provider: 'Google' }))它将自动绕过Google的帐户选择/登录并直接使用现有的会话. [如果是错误的Google会话，可能会出现问题]

(restating the issue) Auth.signOut() only signs out from Cognito, but not from the federated provider (Google in your case). So when you try to login again (in your customers case, using Auth.federatedSignIn({ .provider: 'Google' })) it will automatically bypass Google's account selection/login and directly use the existing session. [which could be a problem if it is the wrong Google session]

对此的一个次优解决方案是也从Google注销.您可以通过向 https://accounts.google.com/logout 发出GET请求来完成此操作.这样，后续的federatedSignIn将需要通过Google登录屏幕.

One sub optimal solution to this is to also sign out from Google. You can accomplish this by making a GET request to https://accounts.google.com/logout. This way, a subsequent federatedSignIn will need to go through the Google login screen.

我已将此案例上报给西雅图的Cognito服务团队以获取功能请求:

I have escalated this case to the Cognito service team in Seattle to get a feature request:

能够通过URL查询将prompt="select_account"选项传递给Google.

Being able to pass a prompt="select_account" option via the URL query to Google.

编辑以添加Cognito响应:

Edit to add Cognito Response:

如果您使用的是Cognito托管用户界面，则可以通过调用以下端点来清理Cognito用户池会话:

If you're using Cognito Hosted UI, you can clean up the Cognito user pool session by invoking the following end point:

    https://<Your-User-Pool-Domain>.auth.<Your-User-Pool-Region>.amazoncognito.com/logout?client_id=<Your-User-Pool-App-Client>&logout_uri=<Your-User-Pool-SignOut-URL>

当我(AWS Congito)尝试使用Cognito Hosted UI重现该问题时，我必须在注销后重新登录Google.我无法以另一种方式重现此问题.

When I (AWS Congito) tried to reproduce the issue with Cognito Hosted UI, I had to re-signIn Google after I signed out. I couldn't reproduce this issue one way or another.

有关退出链接，请参见 Cognito文档了解更多信息和各种选项.

See the Cognito documentation for the logout link for more information and various options.

编辑以添加更多信息:不幸的是，此修复程序(使用注销链接)无法按预期工作.它确实允许用户选择一个新的身份提供者(Google，Facebook等)，但是如果用户使用他们选择的身份提供者登录，则它将继续使用该用户身份，而不是让用户选择以下项:多个帐户或使用新帐户登录.

Edit to add more info: Unfortunately, this fix (using the logout link) does not work as expected. It DOES let the user select a new identity provider (Google, Facebook, etc.), but if the user is logged in with the one they select, it then proceeds to use that user identity rather than giving the user the option to choose among multiple accounts or login with a new one.

这篇关于AWS Cognito-使用Google登录时如何强制选择帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！