Restoring of federated user identities?

[ddurham2]

Hi, great and easy to use tool! Only yours restores the group relationships, which quite important.

Though, I was testing an ran into an issue. When restoring to my test user-pool, I noticed that when it tried to restore a federated user (e.g. one that logged in from google) it encountered an error trying to modify the field 'identities'

(node:1485381) UnhandledPromiseRejectionWarning: InvalidParameterException: Cannot modify the non-mutable attribute identities
    at Request.extractError (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/protocol/json.js:52:27)
    at Request.callListeners (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/usr/local/lib/node_modules/cognito-bak-res/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

The user object looks something like:

{"Username":"google_406552816257367931780","Attributes":[{"Name":"sub","Value":"58b024ge3c70-30c2-cb84-c35bd69a8ec1"},{"Name":"identities","Value":"[{\"userId\":\"406552816257367931780\",\"providerName\":\"Google\",\"providerType\":\"Google\",\"issuer\":null,\"primary\":true,\"dateCreated\":16254706375313}]"},{"Name":"email_verified","Value":"false"},{"Name":"name","Value":"John Doe"},{"Name":"email","Value":"jdoe@example.com"}],"UserCreateDate":"2021-07-05T07:37:56.411Z","UserLastModifiedDate":"2021-07-05T07:53:59.205Z","Enabled":true,"UserStatus":"EXTERNAL_PROVIDER","Groups":[{"GroupName":"us-east-2_G215Fd6Gu_Google","UserPoolId":"us-east-2_G215Fd6Gu","Description":"Autogenerated group for users who sign in using Google","LastModifiedDate":"2021-06-25T05:56:34.655Z","CreationDate":"2021-06-25T05:56:34.655Z"}]}

It is possible to restore federated users?

Also, the sub value for every user is not maintained. I'm guessing cognito doesn't allow specifying that when objects are created?

[T0tt1]

Hello @ddurham2 ,

Thanks for raising this flag.
To be honest, in our use case we were not targeting Federated users because we are not having that option enabled for the User pool. This would be revised at some point because is a good catch, so some testing will be needed as well.

Sub value is a Cognito User pool unique value and is not manageable. Every single user in Cognito generally has a globally unique sub value and it is never repeated/reused (by design of the Cognito service itself).

Please consider the tool as not restoring but importing the users/groups. Cognito does not have Restore functionality and the workaround is to import the users, this is why they receive a new password as well because it is a field that is non-exportable for security reasons as stated by the vendor.