6

I'm defining a user pool for my AWS CloudFormation stack and I've been confused by a concept as far as attributes go. Every user in an identity pool has a custom unchangeable username that they can use to log in along with their password. You can also have other attributes to log in with:

  • "Username Attributes: Determines whether email addresses or phone numbers can be specified as user names when a user signs up. Possible values: phone_number or email."

  • "Alias Attributes: By default, users sign in with their username and password. The username is a fixed value that users cannot change. If you mark an attribute as an alias, users can sign in using that attribute in place of the username. The email address, phone number, and preferred username attributes can be marked as aliases. For example, if email and phone are selected as aliases for a user pool, users in that user pool can sign in using their username, email address, or phone number, along with their password."

These two kinds of attributes sound the same, yet they can be both defined separately on the AWS console and in CloudFormation files. Which one should I use? Is there really no difference between the two?

Whiteclaws
  • 902
  • 10
  • 31

2 Answers2

4

So it seems that there are three attributes/attribute-types that are pertinent in this case. This is the output I get from doing Auth.userAttributes(user).then(a => console.log(a)): 

[
  {
    "Name": "sub",
    "Value": "5c9f19b1-64d3-40ed-b6ba-fc1deb0bddea"
  },
  {
    "Name": "email_verified",
    "Value": "true"
  },
  {
    "Name": "email",
    "Value": "example@gmail.com"
  }
]

As such, you can summarize the situation as follows:

  • A username attribute is always required to register a user and it cannot be changed after a user is created
    • The username attribute must be unique within a user pool; it can be re-used, but only after getting deleted
  • An alias attribute is a username attribute that can be changed after user creation
    • Alias attributes allow a user to login with multiple identities
  • The sub attribute contains the username value of a user, a UUID that is generated automatically when signing up

I'm not sure if you can have both username and alias attributes in your user pool configuration, and I'll be updating this answer accordingly in the future.

Whiteclaws
  • 902
  • 10
  • 31
  • 1
    The "sub" attribute is the Cognito user id which is always generated by Cognito. If the user pool was configured with email/phone as username then the username is actually set as the user id and one of email or phone behave as an alias. If the userpool is configured with aliases enabled then the username will be the value supplied at sign up (distinct from user id). – Nathan Oct 18 '20 at 20:21
  • Also, email and phone attributes do not become aliases until they have been marked as verified. – Nathan Oct 18 '20 at 20:30
1

An alias is just an additional attribute that you can use to login with, it does replace username just gives the option to have an additional piece of information allow logins.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • What's the difference between the username attribute and a username attribute? The user can log in using the actual persistent username UUID, the username attribute and alias attributes? Does this mean that there can only be a single username attribute? Why would you define an alias attribute if you can just define multiple username attributes instead? Edit: Would you kindly explain using scenarios, perhaps, I don't seem to wrap my head around this. :( – Whiteclaws May 19 '20 at 08:29
  • So for example if a user should be able to login with their email address or their username then the email would be the alias – Chris Williams May 19 '20 at 08:33
  • The email could also be a username attribute in which case the UUID username would be a "sub" attribute of the pool user. Why would you want it to be an alias attribute if you can make it a username attribute? – Whiteclaws May 19 '20 at 08:57