AWS Cognito - How to force select account when signing in with Google
Turns out that at this moment (January 2020) (edit: see below for their proposed solution which is still problematic) AWS Cognito does not support the prompt=select_account
(or any of the prompt
options Google provides). Went back and forth with their support, and here is the final resulting message with their current plan of action:
(restating the issue) Auth.signOut() only signs out from Cognito, but not from the federated provider (Google in your case). So when you try to login again (in your customers case, using
Auth.federatedSignIn({ .provider: 'Google' }))
it will automatically bypass Google's account selection/login and directly use the existing session. [which could be a problem if it is the wrong Google session]One sub optimal solution to this is to also sign out from Google. You can accomplish this by making a GET request to https://accounts.google.com/logout. This way, a subsequent
federatedSignIn
will need to go through the Google login screen.I have escalated this case to the Cognito service team in Seattle to get a feature request:
Being able to pass a
prompt="select_account"
option via the URL query to Google.
Edit to add Cognito Response:
If you're using Cognito Hosted UI, you can clean up the Cognito user pool session by invoking the Logout end point:
https://<Your-User-Pool-Domain>.auth.<Your-User-Pool-Region>.amazoncognito.com/logout?client_id=<Your-User-Pool-App-Client>&logout_uri=<Your-User-Pool-SignOut-URL>
When I (AWS Congito) tried to reproduce the issue with Cognito Hosted UI, I had to re-sign in with Google after I signed out. I couldn't reproduce this issue one way or another.
See the Cognito documentation for the logout link for more information and various options.
After trying their response: Unfortunately, this fix (using the logout link) does not work as expected. It DOES let the user select a new identity provider (Google, Facebook, etc.), but if the user is logged in with the one they select, it then proceeds to use that user identity rather than giving the user the option to choose among multiple accounts or login with a new one.