How can users sign up to a Cognio User Pool through Facebook when email attribute is required but Facebook doesn't provide it?

Question

My AWS Cognito Pool has email as a required attribute. All users who sign up to my app have been required to provide their email.

I've recently added Facebook as an Identity Provider to my user pool.

The problem is that Facebook doesn't always provide an email, and in those cases, Cognito will redirect new users to an error page saying "Email is Required".

I want to prompt the user to enter his/her email and then continue the sign up process, rather than just ending it with an error. Is there any way to do this?

Answer 1

This simply is not currently possible with Cognito User Pools.

I've hit the same example when working with clients, even when consenting to the appropriate scopes, Facebook will not provide it in the OpenID token.

I suspect though that the email is retrievable via the API following this, so you may have some luck with a Cognito User Pools trigger to go retrieve the email and stuff it in post-authentication if it's missing.

Otherwise there's not a lot you can do other than making email address optional and then designing customer experience around this.

Answer 2

If you have set 'Email' in the Facebook token scope, Facebook will provide the email address if it has one. However, Facebook itself doesn't always have an email address for a user

https://developers.facebook.com/docs/facebook-login/permissions/#reference-email

Note, even if you request the email permission it is not guaranteed you will get an email address. For example, if someone signed up for Facebook with a phone number instead of an email address, the email field may be empty.

In this case I think you either have to live with the current Cognito behaviour, or make email optional, but effectively enforce it yourself with a Cognito Post-Authentication Lambda trigger