AWS Cognito - 如何在使用 Google 登录时强制选择帐户 [英] AWS Cognito - How to force select account when signing in with Google

问题描述

我目前正在使用与 Google 联合作为身份提供商的 Cognito 用户池来处理用户登录我的网络应用程序.目前，我只实现了使用 Google 登录.目前这是通过 Cognito 的托管 UI 完成的.

当用户使用 Google 登录时，我希望他们总是被提示选择他们的帐户，即显示 这个提示.

但是，我发现当我仅使用一个 Google 帐户登录时，会跳过此屏幕.虽然，当我没有登录 Google 帐户/2 个或更多 Google 帐户时，会显示此屏幕.

我曾尝试让此屏幕始终显示的内容:

1. 使用 AWS Amplify 的 federatedSignIn({provider: 'Google'}) 函数.但是，我发现这只是 Cognito 托管 UI 的包装器，只是重定向到相同的授权端点，如 此处.
2. 将 prompt=select_account 添加到授权端点，如中所述谷歌的文档，但这没有效果.这并不奇怪，因为 prompt 选项在 授权端点的 AWS 文档.

如果有人对我如何始终显示此帐户选择屏幕有任何想法，我们将不胜感激.

解决方案

事实证明，此时(2020 年 1 月)(请参阅下面他们提出的仍然存在问题的解决方案)AWS Cognito 不支持 prompt=select_account(或 Google 提供的任何 prompt 选项).在他们的支持下来回走动，以下是他们当前行动计划的最终结果:

<块引用>

(重申问题)Auth.signOut() 仅从 Cognito 注销，而不是从联合提供商(在您的情况下为 Google)注销.因此，当您再次尝试登录时(在您的客户情况下，使用 Auth.federatedSignIn({ .provider: 'Google' })) 它将自动绕过 Google 的帐户选择/登录并直接使用现有会话.[如果是错误的 Google 会话，这可能是个问题]

对此的一个次优解决方案是同时退出 Google.您可以通过向 https://accounts.google.com/logout 发出 GET 请求来完成此操作.这样，后续的 federatedSignIn 将需要通过 Google 登录屏幕.

我已将此案例上报给西雅图的 Cognito 服务团队以获取功能请求:

能够通过 URL 查询将 prompt="select_account" 选项传递给 Google.

编辑以添加 Cognito 响应:

<块引用>

如果您使用的是 Cognito 托管 UI，则可以通过调用注销端点来清理 Cognito 用户池会话:

 https://.auth..amazoncognito.com/logout?client_id=&logout_uri=

<块引用>

当我 (AWS Congito) 尝试使用 Cognito Hosted UI 重现该问题时，我必须在退出后重新登录 Google.我无法以一种或另一种方式重现这个问题.

<块引用>

有关注销链接，请参阅 Cognito 文档 了解更多信息和各种选项.

尝试他们的回复后:不幸的是，此修复程序(使用注销链接)没有按预期工作.它确实让用户选择一个新的身份提供商(谷歌、Facebook 等)，但如果用户使用他们选择的身份登录，那么它会继续使用该用户身份，而不是让用户在其中进行选择多个帐户或使用新帐户登录.

I'm currently using Cognito User Pools, federated with Google as an identity provider, to handle user sign in for my web app. At the moment, I have only implemented Sign-In with Google. This is currently being done through Cognito's Hosted UI.

When users sign in with Google, I'd like them to always be prompted to select their account, i.e. be presented with this prompt.

However, I have found that when I'm logged in with only one Google account, then this screen is skipped. Although, when I'm logged into no Google account / 2 or more Google accounts, this screen is shown.

Things I've tried to make this screen always show up:

1. Using AWS Amplify's federatedSignIn({provider: 'Google'}) function. However, I found that this is just a wrapper on Cognito's Hosted UI and just redirects to the same authorization endpoint, as described here.
2. Adding prompt=select_account to the authorization endpoint as detailed in Google's documentation, however this had no effect. This was unsurprising as the prompt option is not detailed in the AWS documentation for the authorization endpoint.

If anyone has any ideas on how I can always have this account selection screen shown, it would be very much appreciated.

解决方案

Turns out that at this moment (January 2020) (edit: see below for their proposed solution which is still problematic) AWS Cognito does not support the prompt=select_account (or any of the prompt options Google provides). Went back and forth with their support, and here is the final resulting message with their current plan of action:

(restating the issue) Auth.signOut() only signs out from Cognito, but not from the federated provider (Google in your case). So when you try to login again (in your customers case, using Auth.federatedSignIn({ .provider: 'Google' })) it will automatically bypass Google's account selection/login and directly use the existing session. [which could be a problem if it is the wrong Google session]

One sub optimal solution to this is to also sign out from Google. You can accomplish this by making a GET request to https://accounts.google.com/logout. This way, a subsequent federatedSignIn will need to go through the Google login screen.

I have escalated this case to the Cognito service team in Seattle to get a feature request:

Being able to pass a prompt="select_account" option via the URL query to Google.

Edit to add Cognito Response:

If you're using Cognito Hosted UI, you can clean up the Cognito user pool session by invoking the Logout end point:

    https://<Your-User-Pool-Domain>.auth.<Your-User-Pool-Region>.amazoncognito.com/logout?client_id=<Your-User-Pool-App-Client>&logout_uri=<Your-User-Pool-SignOut-URL>

When I (AWS Congito) tried to reproduce the issue with Cognito Hosted UI, I had to re-sign in with Google after I signed out. I couldn't reproduce this issue one way or another.

See the Cognito documentation for the logout link for more information and various options.

After trying their response: Unfortunately, this fix (using the logout link) does not work as expected. It DOES let the user select a new identity provider (Google, Facebook, etc.), but if the user is logged in with the one they select, it then proceeds to use that user identity rather than giving the user the option to choose among multiple accounts or login with a new one.

这篇关于AWS Cognito - 如何在使用 Google 登录时强制选择帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！