0

I am using the AWS SDK, using federated identity providers with Cognito. Right now, I'm doing this:

private void SetupCognitoStuff()
{
    _cognitoCredentials = new CognitoAWSCredentials(
        MY_IDENTITY ID, // Identity Pool ID
        _awsRegion); // Region

    if (_identityProviderName != null)
        _cognitoCredentials.AddLogin(_identityProviderName, _identityProviderToken);

    _identityId = GetIdentityId();
}

This works fine to create or retrieve the user's credentials, using Facebook as the identity provider. I also cache the Cognito Identity ID in the app's settings.

So, now let's say that the next time the user uses my app, they choose a different login provider (let's say Google). I've already cached their Cognito Identity ID from the last time that they logged in (via Facebook). When I instantiate CognitoAWSCredentials this time, how to I tell it that I want to use the existing Cognito Identity ID, and that Google should be added as a second identity provider, instead of it creating a whole new Cognito identity?

Looking at the documentation for the raw API, it should be possible:

Merging Identities

If you pass in a token for a login that is not currently linked to the given identity, but is linked to another identity, the two identities are merged. Once merged, one identity becomes the parent/owner of all associated logins and the other is disabled. In this case, the identity ID of the parent/owner is returned. You are expected to update your local cache if this value differs (this is handled for you if you are using the providers in the AWS Mobile SDKs or AWS SDK for JavaScript in the Browser).

So if this is the case, then how does it know (i.e. how do I tell it) what existing Identity ID to use when calling my above function with a different identity provider?

From this page, it looks like it can be done via the raw API by calling GetCredentialsForIdentity and passing in the existing Identity ID in the "IdentityId" field and the new identity provider info in the "Logins" field:

Request Syntax

{

"CustomRoleArn": "string",

"IdentityId": "string",

"Logins": 

    {

        "string" :

            "string"

    } 
}

I'm just not sure how to translate this into the SDK using the CognitoAWSCredentials class.

JoeMjr2
  • 3,804
  • 4
  • 34
  • 62

1 Answers1

1

Update the login map of the credentials object with provider 2 token once you authenticated via provider 1. You need to update the Logins map of the credentials object to include the Google's one. You could figure out how it is done for your sdk. E.g. for javascript, you could just do 

AWS.config.credentials.params.Logins['accounts.google.com'] = googleToken;

Javascript reference

Partha
  • 814
  • 6
  • 13
  • After this you should be able to see both the logins, under "Linked Logins" in your identity browser. – Partha Aug 30 '16 at 07:05
  • Ok, but then wouldn't the user have to log into both Facebook and then Google in the same session? I don't think that's what the user would likely do. – JoeMjr2 Aug 30 '16 at 13:36
  • I'm talking about the situation when the 2nd time (on a different day), the user forgets which identity provider they used the first time and chooses a different one. Since I've cached the Cognitive identity ID, it seems like I should be able to just provide that to have it link them. – JoeMjr2 Aug 30 '16 at 13:40
  • 1
    Cognito requires a token from a linked provider to access an authenticated id. You cannot just provide the id to link the new login to that identity. Once both are linked you'll only need one, to add a new one you'll need to have both. Along the same lines, if you decide you want to add Twitter later, you'll need one of Facebook or Google to do so. – Jeff Bailey Aug 30 '16 at 18:15
  • @JeffBailey Can we link to different Facebook account for a same cognito Identity ? – Partha Sep 02 '16 at 12:19
  • 1
    No, one per identity – Jeff Bailey Sep 02 '16 at 14:46