Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: User initiated Verify Email For OAuth Providers after Sign Up: Setting email_verified: true #4531

Open
2 of 14 tasks
dkliss opened this issue Mar 6, 2024 · 2 comments
Open
2 of 14 tasks

Feature Request: User initiated Verify Email For OAuth Providers after Sign Up: Setting email_verified: true #4531

dkliss opened this issue Mar 6, 2024 · 2 comments
Labels
auth Issues related to the Auth Category feature-request A request for a new feature or an enhancement to an existing API or category. service-team

Comments

@dkliss
Copy link

dkliss commented Mar 6, 2024

Description

Hi,

If I Sign up with OAUTH2 for some IDPs providers, email_verified attribute is not shared with Cognito and hence Cognito will mark email_verified as false for those IDPs.

For example, if the email attribute received after Sign up using OAUTH IDp is test@gmail.com, user will successfully Sign up however email test@gmail.com will be marked as "not verified" in AWS Cognito.

Since, this email belongs to user and is in "user's" control, I wanted user to take an action to verify this email, if they like to use the same email later for Cognito (by running reset password). Without email_verified set as true, a user will receive below error when making an attempt to Sign in via Cognito.

Invalid Parameters: Cannot reset password for the user as there is no registered/verified email or phone_number

To verify OAUTH email, I attempted to use updateUserEmail() Amplify function to basically re-update the same not verified email i.e. test@gmail.com, which I received from OAUTH. After running this function, I did not received any exception BUT I also did not received an OTP code. If I run the same function updateUserEmail() from a different email (example newtest@gmail.com), which is not in Cognito, then, I received an OTP code (as expected) in that new email i.e. newtest@gmail.com.

Proposal: Considering the fact, that email_verified flag is not available from all OAUTH IDPs, it would have been useful if a user is able to verify email (if needed) post OAUTH sign up. This potentially can be done by adding extra scope to the same function i.e. updateUserEmail() to be able to send an OTP for an existing email in Congnito, if that email is marked as not verified. This will make account linking between OAUTH and AWS Cognito easier and offer more control to users to be able to decide on their preference on if they like to expand OAUTH email for Cognito or not. Auto-verifying emails of users signing in via OAUTH2 via lambda etc seems like not right approach as the email is owned by users and hence users should verify those.

  Future<void> updateUserEmail({
    required String newEmail,
  }) async {
    try {
      final result = await Amplify.Auth.updateUserAttribute(
        userAttributeKey: AuthUserAttributeKey.email,
        value: newEmail,
      );
      _handleUpdateUserAttributeResult(result);
    } on AuthException catch (e) {
      safePrint('Error in setMfa: $e');
      throw MyException(e.message.toString());
    } catch (e) {
      safePrint('Error updating user attribute: $e');
      throw MyException(errorInCodeGeneration);
    }
  }

Categories

  • Analytics
  • API (REST)
  • API (GraphQL)
  • Auth
  • Authenticator
  • DataStore
  • Notifications (Push)
  • Storage

Steps to Reproduce

No response

Screenshots

No response

Platforms

  • iOS
  • Android
  • Web
  • macOS
  • Windows
  • Linux

Flutter Version

3.19.1

Amplify Flutter Version

1.6.1

Deployment Method

Amplify CLI

Schema

No response
@Jordan-Nelson Jordan-Nelson added auth Issues related to the Auth Category pending-triage This issue is in the backlog of issues to triage labels Mar 6, 2024
@Jordan-Nelson
Copy link
Contributor

Hello @dkliss - Thanks for taking the time to open the request.

Verifying a mapped email address is not supported by Cognito. From the Cognito docs:

By default, mapped email addresses are unverified. You can't verify a mapped email address using a one-time code. Instead, map an attribute from your IdP to get the verification status. For example, Google and most OIDC providers include the email_verified attribute.

We can mark this as a feature request to track interest, but this is something that would need to be supported in Cognito.

@Jordan-Nelson Jordan-Nelson added feature-request A request for a new feature or an enhancement to an existing API or category. service-team and removed pending-triage This issue is in the backlog of issues to triage labels Mar 6, 2024
@dkliss
Copy link
Author

dkliss commented Mar 7, 2024
edited

Hello @dkliss - Thanks for taking the time to open the request.

Verifying a mapped email address is not supported by Cognito. From the Cognito docs:

By default, mapped email addresses are unverified. You can't verify a mapped email address using a one-time code. Instead, map an attribute from your IdP to get the verification status. For example, Google and most OIDC providers include the email_verified attribute.

We can mark this as a feature request to track interest, but this is something that would need to be supported in Cognito.

Thanks @Jordan-Nelson. Based on my testing,

  • only Google and Apple correctly share email_verified attribute
  • Facebook and Amazon does not.
  • In Amazon, email_verified attribute itself does not exist. and
  • Facebook does have email_verified attribute but is not shared.

And this is why an email_verification method independent of OAUTH attributes will be of good help. This way developers can simply disable email_verified attribute mapping in of OAUTH & Cognito (unless one is only using single OAUTH provider) and let users verify their email directly with Cognito (if a user choose to do so).

Having went all the way through implementing Lambda etc, the proposal of allowing users with an option to verify email AFTER sign in, independent of OAUTH providers is simple and can ease OAUTH and Cognito Account linking (exclude Apple because of relay email).

Is there any chance for this to be considered without tracking interest. It can simplify Account linking for OUTH and Cognito?

"For example, Google and most OIDC providers include the email_verified attribute."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth Issues related to the Auth Category feature-request A request for a new feature or an enhancement to an existing API or category. service-team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jordan-Nelson @dkliss