AWS Cognito - How to force select account when signing in with Google

Question

I'm currently using Cognito User Pools, federated with Google as an identity provider, to handle user sign in for my web app. At the moment, I have only implemented Sign-In with Google. This is currently being done through Cognito's Hosted UI.

When users sign in with Google, I'd like them to always be prompted to select their account, i.e. be presented with this prompt.

However, I have found that when I'm logged in with only one Google account, then this screen is skipped. Although, when I'm logged into no Google account / 2 or more Google accounts, this screen is shown.

Things I've tried to make this screen always show up:

1. Using AWS Amplify's federatedSignIn({provider: 'Google'}) function. However, I found that this is just a wrapper on Cognito's Hosted UI and just redirects to the same authorization endpoint, as described here.
2. Adding prompt=select_account to the authorization endpoint as detailed in Google's documentation, however this had no effect. This was unsurprising as the prompt option is not detailed in the AWS documentation for the authorization endpoint.

If anyone has any ideas on how I can always have this account selection screen shown, it would be very much appreciated.

Answer 1

Turns out that at this moment (January 2020) (edit: see below for their proposed solution which is still problematic) AWS Cognito does not support the prompt=select_account (or any of the prompt options Google provides). Went back and forth with their support, and here is the final resulting message with their current plan of action:

(restating the issue) Auth.signOut() only signs out from Cognito, but not from the federated provider (Google in your case). So when you try to login again (in your customers case, using Auth.federatedSignIn({ .provider: 'Google' })) it will automatically bypass Google's account selection/login and directly use the existing session. [which could be a problem if it is the wrong Google session]

One sub optimal solution to this is to also sign out from Google. You can accomplish this by making a GET request to https://accounts.google.com/logout. This way, a subsequent federatedSignIn will need to go through the Google login screen.

I have escalated this case to the Cognito service team in Seattle to get a feature request:

Being able to pass a prompt="select_account" option via the URL query to Google.

Edit to add Cognito Response:

If you're using Cognito Hosted UI, you can clean up the Cognito user pool session by invoking the Logout end point:

    https://<Your-User-Pool-Domain>.auth.<Your-User-Pool-Region>.amazoncognito.com/logout?client_id=<Your-User-Pool-App-Client>&logout_uri=<Your-User-Pool-SignOut-URL>

When I (AWS Congito) tried to reproduce the issue with Cognito Hosted UI, I had to re-sign in with Google after I signed out. I couldn't reproduce this issue one way or another.

See the Cognito documentation for the logout link for more information and various options.

After trying their response: Unfortunately, this fix (using the logout link) does not work as expected. It DOES let the user select a new identity provider (Google, Facebook, etc.), but if the user is logged in with the one they select, it then proceeds to use that user identity rather than giving the user the option to choose among multiple accounts or login with a new one.