Skip to content

fix(auth): update attribute mapping section for defineAuth #8268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 24, 2025
Merged

fix(auth): update attribute mapping section for defineAuth #8268

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions .../[platform]/build-a-backend/auth/concepts/external-identity-providers/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,11 +314,13 @@ export const auth = defineAuth({

### Attribute mapping

You can map which attributes are mapped between your external identity provider and your users created in Cognito. We will be able to have the best level of protection for developers if we ensure that attribute mappings that would not work are called out by the type system.
Identity provider (IdP) services store user attributes in different formats. When using external IdPs with Amazon Cognito user pools, attribute mapping allows you to standardize these varying formats into a consistent schema.

<Callout>
Learn more about [mapping IdP attributes to user pool profiles and tokens](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html).

<Callout warning>

If you specify an attribute in your authentication resource as required, and it is not allowed for your external providers, signing in with that external provider will cause an error.
**Note:** When a federated user signs in to your application, a mapping must be present for each attribute that your user pool requires. Additionally, you must also ensure that the target of each attribute mapping is mutable. Amazon Cognito will attempt to update each mapped attribute when a user signs in regardless of whether the latest value already matches the existing information. If these criteria are not met, Amazon Cognito will return an error and the sign in attempt will fail.

</Callout>

Expand All @@ -330,7 +332,7 @@ import { defineAuth } from '@aws-amplify/backend';
export const auth = defineAuth({
loginWith: {
email: true,
externalAuthProviders: {
externalProviders: {
loginWithAmazon: {
clientId: secret('LOGINWITHAMAZON_CLIENT_ID'),
clientSecret: secret('LOGINWITHAMAZON_CLIENT_SECRET'),
Expand Down Expand Up @@ -359,7 +361,7 @@ import { defineAuth } from '@aws-amplify/backend';
export const auth = defineAuth({
loginWith: {
email: true,
externalAuthProviders: {
externalProviders: {
loginWithAmazon: {
clientId: secret('LOGINWITHAMAZON_CLIENT_ID'),
clientSecret: secret('LOGINWITHAMAZON_CLIENT_SECRET'),
Expand Down