Delete linked user from User pool users.

[lenarmazitov]

Describe the bug
When I link user to existing identity via adminLinkProviderForUser, I get two users in "Users and groups" section in AWS console. It is ok, because second user is just link to original one.
But when I delete one of that I have just created, I can not reach remaining one. I get this instead:

To Reproduce
Steps to reproduce the behavior:

1. Create user in User pool.
2. Link second user to first by adminLinkProviderForUser

var params = {
      DestinationUser: {
        ProviderAttributeName: 'Cognito',
        ProviderAttributeValue: "1111111111",
        ProviderName: "Facebook"
      },
      SourceUser: {
        ProviderAttributeName: 'Cognito_Subject',
        ProviderAttributeValue: "222222222",
        ProviderName: "Google"
      },
      UserPoolId: event.userPoolId,
    };
    try {
      await identity.adminLinkProviderForUser(params).promise();
    } catch (e) {
      console.log(e);
      return e;
    }

3. Delete one of it in User pool in AWS console
4. Try to access remaining (End)

Expected behavior
I should have ability to remove both.

[codyfyi]

I stumbled into this too: I found I could delete the user via the Cognito API (or AWS CLI).

Whats odd is that even though linked users show the same sub in the Cognito console they are actually stored with different sub in the Cognito database. I presume that might be related to this issue.

[haverchuck]

@lenarmazitov - Can you please clarify - do you know that the second user still exists, but just cannot be retrieved? Or does it appear that the linked user is deleted along with its related record?

[lenarmazitov]

@haverchuck I could just suppose that user does not exists, but some link to second federated identity is still remains. And when I click on it in AWS console I can not reach original user, because it was deleted.

update I have just checked. User is still exists, and I can link new identity to it. So I suppose that when I remove user in AWS console with 2 or more identities linked to then all identities will be unlinked from it, but identities still present in database and we can see it in AWS console.

And my thoughts how this can be fixed

• in AWS console add control "Unlink identity", if there is more than 1 identity linked
• in AWS console control "Delete user" unlinks all identities and removes user (may be should add some confirm that there is more than 1 identity"

[gluix20]

Same here, but I can't even delete it with adminDeleteUser from JS SDK, throws a UserNotFoundException. In Cognito User Pool console the user appears though, it also appears with listUser filtered by its username.

I haven't found a way to remove that user, any thoughts?

[gluix20]

@lenarmazitov - Can you please clarify - do you know that the second user still exists, but just cannot be retrieved? Or does it appear that the linked user is deleted along with its related record?

Hi @haverchuck, in my case the user can be retrieved by list-users (both SDK and CLI) and is listed in the console as well. However I can't geit it with admin-get-user not admin-delete-user:

"An error occurred (UserNotFoundException) when calling the AdminDeleteUser operation: User does not exist."

And if I click the user in the console gives me this:

[adithep]

I stumbled into this too: I found I could delete the user via the Cognito API (or AWS CLI).

Whats odd is that even though linked users show the same sub in the Cognito console they are actually stored with different sub in the Cognito database. I presume that might be related to this issue.

How did you delete the user via aws cli? When I try all I get is:

"An error occurred (UserNotFoundException) when calling the AdminDeleteUser operation: User does not exist."

[campmdabt]

Has anyone had success with this? Still an issue, and now I've got unlinked orphaned accounts that I cannot access in the console or CLI, though the user shows in both the console Users and Groups page as well as in the data returned by listUsers().

[MJRuskin]

If you want to delete these unlinked external/provider accounts, do the following:

• Recreate the original Cognito user account that they were linked to
• Disable the provider for this user (i.e. via the AWS CLI command admin-disable-provider-for-user)
• Both accounts can now be deleted successfully

[shiyaskk]

@codeitcody I'm currently running Admin Link Provider in the pre signup trigger
If I start with a native user in the pool and then I try to sign with Google of a user with the same email. Then inside my function, I try to find a matching email in the pool and if so, I link that account with the google one.

After successful linking, I end up with two users with different sub and additionally the UserPassUser now has an "identity" field that contains the Google user data.

How do I link then to get the same sub?

[kiranbabu189]

@shiyaskk , I too encountered the same issue. when I pass SAML IDP user as a source user and Cognito native user as a destination user.

[ottokruse]

Note that this can also happen if you make a mistake in the link command. When linking to existing User Pool users make sure to use the "sub", not the email, of the user as username:

aws cognito-idp admin-link-provider-for-user \
    --user-pool-id XXXX \
    --source-user ProviderName=Google,ProviderAttributeName="Cognito_Subject",ProviderAttributeValue="<googleIdIsSomeNumber>" \
    --destination-user ProviderName=Cognito,ProviderAttributeValue=<userSub>

(Note that this command links the Google user to the local user pool user, so that when the Google user would federate in, he/she would "assume" the account of the user pool user.)

@MJRuskin is right that to correct the "user not found" situation you just have to create the link in a valid way again. Either to a new user (just for the purpose of throwing away again later) or to an existing one. Use the user that is "not found" as source user then, and the new/existing user as destination user.

Another note: if you do the linking entirely right you would not see multiple user accounts for the same user in Cognito. You would just see one (although it can work with multiple so it is not a real problem). You can do the linking beforehand; when you just have the Cognito user pool user record showing, not the federated one yet. However, to do the linking then though you would need to know the user's ID from the federation provider, which for e.g. Google is impossible to predict (it is some number), but for SAML users it can be predicted (it is their common organization ID that you may know).

[abdallahshaban557]

Cognito has recently resolved an issue with linking federated users to an existing user profile in Cognito User Pools. As a result, your Amplify application can now merge user identities from 3rd party social identity providers to a Cognito user in a user pool using the Pre sign-up Lambda trigger. You can use the AdminLinkProviderForUser API from Cognito to set up custom logic to determine how your user identities get merged. To learn more about the use of this feature, you can check out the following documentation pages.

• API docs: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html
• Cognito guide: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html
• Pre-sign up Lambda https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html

We will work on resources to share with you to explain how to integrate this feature into your Amplify app.

[nadetastic]

Following up here - with the way AdminLinkProviderForUser currently works, it should not duplicate users but add the identitySub attribute with the IDP values to the user that already exists. Because of this, there shouldn't be a need to delete the linked user from the User pool. We are currently working to update the documentation that describes steps you can take to setup account linking.

cc @ottokruse @kiranbabu189 @shiyaskk

[nadetastic]

As this is pretty similar to #5104 , i'll go ahead and close it out - please follow up with any questions you have on that issue.

Thanks!