AWS Cognito将用户切换到联合账户 [英] AWS Cognito Switch User to Federated Account

问题描述

我想允许用户使用用户池身份（电子邮件和密码）或Facebook联合身份进行注册。

I want to allow users to sign up using either a user-pool identity (email + password) or a Facebook-federated identity.

但是我也希望他们以便以后启用：如果他们最初没有使用Facebook进行注册，则添加Facebook联合会；如果他们最初使用Facebook进行注册，则从其帐户中删除Facebook链接。

But I also want them to be able to switch later on: either add Facebook federation if they didn't sign up using Facebook initially, or remove the Facebook link from their account if they initially signed up using Facebook.

这可能吗？

提前谢谢！

推荐答案

是的。我假设将Facebook作为IdP直接添加到Userpool。

Yes, it is. I'm assuming that Facebook is added directly to the Userpool as an IdP.

将查询分为两部分：

1。用户使用用户名&密码。后来，他想关联他的Facebook帐户

这很简单。在用户界面中提供一个选项，然后使用 AdminLinkProviderForUser 用于将Facebook / Google帐户链接到用户的API。现在，当用户下次使用此Facebook / Google帐户登录时，Cognito会将其视为本机用户&生成相同的令牌。当然，身份声明中将提及Facebook信息。如果用户以后要删除此Facebook / Google链接，则可以使用 AdminDisableProviderForUser API调用。

1. User signs up using username & password. Later, he wants to link his Facebook account
This is pretty easy. Give an option in your UI and use the AdminLinkProviderForUser API to link Facebook/Google account to the user. Now, when the user signs in using this Facebook/Google account next time, Cognito will treat it as the native user & generate token for the same. Of course, the Facebook info will be mentioned in the identities claim. If the user wants to remove this Facebook/Google link later, it is possible using the AdminDisableProviderForUser API call.

2。用户使用Facebook注册

这有点棘手，因为Facebook登录会自动在您的Userpool中创建一个状态为EXTERNAL_PROVIDER的用户（不同于具有CONFIRMED状态的本机用户）。顾名思义，该用户只能使用相关的外部提供商（在这种情况下为Facebook）登录。如果用户想使用用户名密码登录，则必须使用SignUp API或AdminCreateUser API创建一个新帐户。另外，该帐户不能使用AdminLinkProviderForUser链接到先前的Facebook帐户，因为前提条件是Userpool中不应存在具有相同详细信息（电子邮件等）的Facebook用户。但是目前，我们已经自动创建了一个状态为EXTERNAL_PROVIDER的Facebook用户。

2. User signs up using Facebook
This is a bit tricky since Facebook login will automatically create a user in your Userpool with status EXTERNAL_PROVIDER (unlike native users who have CONFIRMED status). As the name suggests, this user can only be logged in using the relevant external provider - Facebook in this case. If the user wants to login using a username password, a new account will have to be created using SignUp API or AdminCreateUser API. Also, this account can not be linked to the previous Facebook account using AdminLinkProviderForUser because a pre-requisite is that no Facebook user with the same details (email etc.) should exist in the Userpool. But at this moment, we have an auto-created Facebook user with EXTERNAL_PROVIDER status.

因此，简而言之，您将必须-使用SignUp或AdminCreateUser API创建新用户，删除自动创建的Facebook用户&最后，按照案例1所述链接Facebook帐户。

So, in short, you would have to - create a new user using SignUp or AdminCreateUser API, delete the auto-created Facebook user & Finally link the Facebook account as mentioned in case 1.

这篇关于AWS Cognito将用户切换到联合账户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！