Forum Xamarin.Android

AWS Cognito - Remove cached identity from device

I am developing an app that uses both Facebook and Google login with AWS Cognito identities, using Amazon.CognitoIdentity. I am trying to do some testing with the two different identity providers on my Android phone. For my testing, I want to have two separate Cognito identities: one for Facebook login, and one for Google login. However, I am running into the following problem.

I initially logged in on my phone via Facebook. This works fine. I can log in repatedly with Facebook, and I always get the same Cognito Identity ID, which is good. But now, I want to test the Google login. So this time, I use the new Google Login button that I just added to my app. Since my Google account had never been associated with my Cognito Identity, I was expecting Cognito to assign me a new Identity ID. However, when I run the following code, using the Google provider name and token:

        CognitoAWSCredentials _cognitoCredentials = new CognitoAWSCredentials(
            "us-east-1:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", // Identity Pool ID
            _awsRegion); // Region

        if (_identityProviderInfo.ProviderName != null)
            _cognitoCredentials.AddLogin(_identityProviderInfo.ProviderName, _identityProviderInfo.Token);

        _identityId = _cognitoCredentials.GetIdentityId();

I get back the same Identity ID as before (when I was using Facebook), which I didn't expect.

Also, the call to AddLogin() doesn't seem to be doing anything. If I browse my identities in the AWS console, it shows that I still only have one linked login (Facebook). My assumption is that this is happening because I'm trying to add Google as a linked login, but it's using an existing Cognito Identity ID, and I haven't logged in via Facebook first to authenticate, and it's thus failing. Unfortunately, AddLogin() doesn't return a value, and it's not throwing an exception either, so as far as I can tell, it's just failing silently, which makes it difficult to test my hypothesis.

So, what I'd really like to do it to have it create a new Cognito identity when I log in with a new identity provider, but I don't know how I can do that. I'm guessing that the SDK is caching my Cognito Identity ID somewhere on the device, and thus using the same one every time, but I would like to somehow clear that, so that I can start fresh with a new Cognito identity ID for Google. I know that I could delete the Identity from the AWS console, but I don't want to do that because I have a lot of data stored in DynamoDB linked to that identity that I don't want to lose, and I'm still not sure that that would solve my problem on my device.

What can I do?



  • JosephMartinezJosephMartinez USMember ✭✭

    Nevermind. I found it. I just needed to call _cognitoCredentials.Clear()


  • batmacibatmaci DEMember ✭✭✭✭✭

    @JosephMartinez rtinez Are you doing that in Xamarin forms? I read that Aws is not a auth provider. I still have to have my own database to store things and use external auth provider. is that true? Can you please kindly advise?

  • JosephMartinezJosephMartinez USMember ✭✭

    @batmaci No, I am not using Xamarin Forms. I am actually doing this in PCL. I believe you can do authentication with AWS directly, using Cognito User Pools, but I haven't looked into that. I use Facebook and Google login with Cognito. Unless you need to authenticate users for other AWS services, you don't need to use Cognito. You can just use another login provider like Facebook or Google. Hope that answers your questions.

  • batmacibatmaci DEMember ✭✭✭✭✭

    Yes I achieved that with facebook after i asked you that question and I found that aws has api to signup and sign in users in cognito pool. Maybe there is even a nuget package for it. Need to search further

  • batmacibatmaci DEMember ✭✭✭✭✭

    @JosephMartinez back to your question. I guess that you have to use clear because it is cached in the local store, right? when you clear it, it will delete the identity so you can get a new one from the server but what happens to those cognito data cached with that deleted identity, are those also deleted from local, so next time you login with same facebook account, you need to sync from the server again. Do you know whether this is working like that or not?

  • JosephMartinezJosephMartinez USMember ✭✭

    @batmaci I'm not sure what you mean by "those cognito data" I don't know of any data that is stored from Cognito, other than the Congito Identity ID. Is the identity ID what you mean, or are you referring to something else?

  • batmacibatmaci DEMember ✭✭✭✭✭

    @JosephMartinez No i mean about cognito sync related datasets. eventually if you are using datasets for user data, you assign Identity ID on those datasets. If I understand correctly, datasets are cached on the phone.
    Btw, I just learnt something new today. I would like to ask you if you have already implemented this. According to the conversation on this link, they say that cognito credentials needs to be updated with accesstoken, everytime if you want to use credentials. Thats means accesstoken from facebook or google needs to be cached as well. beside that it needs to be verified that those tokens are not expired. That looks pretty complicated. Do you have similar problem?

  • JosephMartinezJosephMartinez USMember ✭✭

    @batmaci The only AWS datasets that I use are in DynamoDB, so it doesn't sound like I've used the feature that you're referring to.

    Regarding the credentials, it isn't too complicated if you use the SDKs. When the application starts, I start by requesting the access token from Facebook or Google. The Facebook and Google SDKs handle the login, caching, and refreshing for me, so I don't have to worry about that. You only really have to bother with those things if you're using the raw API's. As long as the user logs in with the same Facebook or Google account, they'll get the same identity each time. Once I have the Facebook or Google token, then I make a call to Cognito, and pass in the Facebook or Google token, and it passes back the Cognito ID. Again, if you used the same Facebook or Google account, you should get back the same Cognito ID each time, and the AWS SDK will cache it automatically behind the scenes. That is why I asked my original question. I wanted to clear the automatically cached Cognito identity so I could use a different one for a different identity provider.

  • batmacibatmaci DEMember ✭✭✭✭✭

    @JosephMartinez thanks. I got that after I asked you. Are you using xamarin forms? because as far as I know facebook and google doesnt have sdks for xamarin.forms. I implemented facebook using http request. which is not a good implementation indeed but at least something in xamarin.form.
    On the other hand, I am using DynamoDB also now but I am not able to figure out how to work with policies. I created a policy as here you can see my question. But I dont know what is wrong with this. I guess userID is the the problem but according to the aws documenation userId is the cognito Id. Did you implement something similar?

  • JosephMartinezJosephMartinez USMember ✭✭

    Sorry for the late response. I got behind in my email. No, I am not using Xamarin Forms. I am using straight Xamarin Android. Regarding DynamoDB policies, I believe you should be using role based policies if you are using Cognito.

  • thtcaribbeanguythtcaribbeanguy USMember ✭✭
    edited April 2017

    @JosephMartinez i know this is months later but you seem to have experience with amazon cognito
    do you have any coding samples u can share of the Enhanced (Simplified) Authflow.
    cause my app logs in but after i log in i cant load stuff from dynamodb because its forbidden after i log in
    ive been looking for solutions based on this link
    i followed it and its still telling me access is forbidden
    so any coding of you using login maps and token and using the identityid to pull stuff?

  • JosephMartinezJosephMartinez USMember ✭✭

    @thtcaribbeanguy Usually when I have forbidden transaction, it's due to permissions. Did you set up your DynamoDB permissions to allow transactions from your Cognito role? And, did you set up your identity providers in IAM?

  • thtcaribbeanguythtcaribbeanguy USMember ✭✭

    @JosephMartinez said:
    @thtcaribbeanguy Usually when I have forbidden transaction, it's due to permissions. Did you set up your DynamoDB permissions to allow transactions from your Cognito role? And, did you set up your identity providers in IAM?

    yea i did allow transactions from any cognito role and setup the IAM i found out that i must always provide the token once the user login. so what was happening is after i login the identityid was being cached but not the token.(thought it was) my question for you now is how to properly store tokens (aws facebook token) on the user device safely.

  • JosephMartinezJosephMartinez USMember ✭✭

    I don't store the token (other than temporarily in RAM). Tokens expire and change, so I grab a fresh token every time the user logs into the app. In the case of Facebook, it's:


  • batmacibatmaci DEMember ✭✭✭✭✭
    You dont store the token if you are using cognito aws will store for you and provide you a cognito ID as i remember. This is the id you need to provide to Dynamodb but your problem is probably with policies
Sign In or Register to comment.