[AWS Cognito] How to make email of federated users editable.

post-confirmation.js

'use strict';

const aws = require('aws-sdk');
const AWS_COGNITO_REGION = 'your region'

async function autoConfirmEmail(event) {
  let userAttributes = event.request.userAttributes;

  if(userAttributes['cognito:user_status'] != 'EXTERNAL_PROVIDER') return;
  if(userAttributes['email_verified'] == 'true') return;
  if(!userAttributes['custom:federated_email']) return;

  let cognitoIdServiceProvider = new aws.CognitoIdentityServiceProvider({
    apiVersion: '2016-04-18',
    region: AWS_COGNITO_REGION
  });

  let changedAttributes = [
    { Name: 'email_verified', Value: 'true' },
    { Name: 'email', Value: userAttributes['custom:federated_email'] }
  ];

  let params =  {
    UserAttributes: changedAttributes,
    UserPoolId: event.userPoolId,
    Username: event.userName
  };

  await cognitoIdServiceProvider.adminUpdateUserAttributes(params).promise();
}

exports.handler = async event => {
  console.log('Received event {}', JSON.stringify(event));

  try {
    await autoConfirmEmail(event);
  }
  catch(error) {
    console.error(error);
  }

  return event;
}

Use case

If you're using AWS Cognito to handle authentication, and wanted to edit email of your federated users.
It's here for you.

Background

The attributes of federated users will be updated each time they sign in base on attribute mapping, and all of them will be overridden.
if you did modified something like email, it will not stay with you.

Workaround

To manage email of users by your own service, you can try this:

• Create a custom attribute, for example: federated_email.
• Map email from your identity providers to federated_email attribute.
• Use Post Confirmation trigger to copy federated_email to email.

That's all, you need to do nothing more.