fix: automatically map email attributes for social providers and OIDC (#931)

* fix: automatically map email attribute

* chore: add changeset

* fix: only map email if ONLY email is used

* chore: update tests to check for auto mapped attributes

Author: awsluja

.changeset/weak-geese-allow.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/auth-construct-alpha': patch
+---
+
+Automatically map email attributes for social providers.

packages/auth-construct/src/construct.test.ts

@@ -1655,6 +1655,163 @@ void describe('Auth construct', () => {
         },
       });
     });
+
+    void it('automatically maps email attributes for external providers excluding SAML', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          email: true,
+          externalProviders: {
+            google: {
+              clientId: googleClientId,
+              clientSecret: SecretValue.unsafePlainText(googleClientSecret),
+            },
+            facebook: {
+              clientId: facebookClientId,
+              clientSecret: facebookClientSecret,
+            },
+            signInWithApple: {
+              clientId: appleClientId,
+              keyId: appleKeyId,
+              privateKey: applePrivateKey,
+              teamId: appleTeamId,
+            },
+            loginWithAmazon: {
+              clientId: amazonClientId,
+              clientSecret: amazonClientSecret,
+            },
+            oidc: {
+              clientId: oidcClientId,
+              clientSecret: oidcClientSecret,
+              issuerUrl: oidcIssuerUrl,
+              name: oidcProviderName,
+            },
+            callbackUrls: ['https://redirect.com'],
+            logoutUrls: ['https://logout.com'],
+          },
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        UsernameAttributes: ['email'],
+        AutoVerifiedAttributes: ['email'],
+      });
+      const expectedAutoMappedAttributes = {
+        AttributeMapping: {
+          // 'email' is a standardized claim for oauth and oidc IDPS
+          // so we can map it to cognito's 'email' claim
+          email: 'email',
+        },
+      };
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedAmazonIDPProperties,
+        ...expectedAutoMappedAttributes,
+      });
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedAppleIDPProperties,
+        ...expectedAutoMappedAttributes,
+      });
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedFacebookIDPProperties,
+        ...expectedAutoMappedAttributes,
+      });
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedGoogleIDPProperties,
+        ...expectedAutoMappedAttributes,
+      });
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedOidcIDPProperties,
+        ...expectedAutoMappedAttributes,
+      });
+      template.hasResourceProperties('AWS::Cognito::IdentityPool', {
+        SupportedLoginProviders: {
+          'www.amazon.com': amazonClientId,
+          'accounts.google.com': googleClientId,
+          'appleid.apple.com': appleClientId,
+          'graph.facebook.com': facebookClientId,
+        },
+      });
+    });
+  });
+
+  void it('does not automatically map email attributes if phone is also enabled', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    new AmplifyAuth(stack, 'test', {
+      loginWith: {
+        email: true,
+        phone: true, // this makes phone_number a required attribute
+        externalProviders: {
+          google: {
+            clientId: googleClientId,
+            clientSecret: SecretValue.unsafePlainText(googleClientSecret),
+          },
+          facebook: {
+            clientId: facebookClientId,
+            clientSecret: facebookClientSecret,
+          },
+          signInWithApple: {
+            clientId: appleClientId,
+            keyId: appleKeyId,
+            privateKey: applePrivateKey,
+            teamId: appleTeamId,
+          },
+          loginWithAmazon: {
+            clientId: amazonClientId,
+            clientSecret: amazonClientSecret,
+          },
+          oidc: {
+            clientId: oidcClientId,
+            clientSecret: oidcClientSecret,
+            issuerUrl: oidcIssuerUrl,
+            name: oidcProviderName,
+          },
+          callbackUrls: ['https://redirect.com'],
+          logoutUrls: ['https://logout.com'],
+        },
+      },
+    });
+    const template = Template.fromStack(stack);
+    template.hasResourceProperties('AWS::Cognito::UserPool', {
+      UsernameAttributes: ['email', 'phone_number'],
+      AutoVerifiedAttributes: ['email', 'phone_number'],
+    });
+    const mappingThatShouldNotExist = {
+      AttributeMapping: {
+        email: 'email',
+      },
+    };
+    assert.throws(() => {
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedAmazonIDPProperties,
+        ...mappingThatShouldNotExist,
+      });
+    });
+    assert.throws(() => {
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedAppleIDPProperties,
+        ...mappingThatShouldNotExist,
+      });
+    });
+    assert.throws(() => {
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedFacebookIDPProperties,
+        ...mappingThatShouldNotExist,
+      });
+    });
+    assert.throws(() => {
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedGoogleIDPProperties,
+        ...mappingThatShouldNotExist,
+      });
+    });
+    assert.throws(() => {
+      template.hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ...ExpectedOidcIDPProperties,
+        ...mappingThatShouldNotExist,
+      });
+    });
   });
 
   void describe('addTrigger', () => {

packages/auth-construct/src/construct.ts

@@ -584,6 +584,11 @@ export class AmplifyAuth
     userPool: UserPool,
     loginOptions: AuthProps['loginWith']
   ): IdentityProviderSetupResult => {
+    /**
+     * If email is enabled, and is the only required attribute, we are able to
+     * automatically map the email attribute from external providers, excluding SAML.
+     */
+    const shouldMapEmailAttributes = loginOptions.email && !loginOptions.phone;
     const result: IdentityProviderSetupResult = {
       oauthMappings: {},
       providersList: [],
@@ -602,7 +607,14 @@ export class AmplifyAuth
           userPool,
           clientId: googleProps.clientId,
           clientSecretValue: googleProps.clientSecret,
-          attributeMapping: googleProps.attributeMapping,
+          attributeMapping:
+            googleProps.attributeMapping ?? shouldMapEmailAttributes
+              ? {
+                  email: {
+                    attributeName: 'email',
+                  },
+                }
+              : undefined,
           scopes: googleProps.scopes,
         }
       );
@@ -616,6 +628,14 @@ export class AmplifyAuth
         {
           userPool,
           ...external.facebook,
+          attributeMapping:
+            external.facebook.attributeMapping ?? shouldMapEmailAttributes
+              ? {
+                  email: {
+                    attributeName: 'email',
+                  },
+                }
+              : undefined,
         }
       );
       result.oauthMappings[authProvidersList.facebook] =
@@ -629,6 +649,15 @@ export class AmplifyAuth
         {
           userPool,
           ...external.loginWithAmazon,
+          attributeMapping:
+            external.loginWithAmazon.attributeMapping ??
+            shouldMapEmailAttributes
+              ? {
+                  email: {
+                    attributeName: 'email',
+                  },
+                }
+              : undefined,
         }
       );
       result.oauthMappings[authProvidersList.amazon] =
@@ -642,6 +671,15 @@ export class AmplifyAuth
         {
           userPool,
           ...external.signInWithApple,
+          attributeMapping:
+            external.signInWithApple.attributeMapping ??
+            shouldMapEmailAttributes
+              ? {
+                  email: {
+                    attributeName: 'email',
+                  },
+                }
+              : undefined,
         }
       );
       result.oauthMappings[authProvidersList.apple] =
@@ -652,6 +690,14 @@ export class AmplifyAuth
       result.oidc = new cognito.UserPoolIdentityProviderOidc(this, 'OidcIDP', {
         userPool,
         ...external.oidc,
+        attributeMapping:
+          external.oidc.attributeMapping ?? shouldMapEmailAttributes
+            ? {
+                email: {
+                  attributeName: 'email',
+                },
+              }
+            : undefined,
       });
       result.providersList.push('OIDC');
     }