How to Verify a Google OAuth Email in AWS Cognito


Borislav Hadzhiev

Wed Apr 21 20211 min read

Updated on Wed Apr 21 2021

Verifying a Google OAuth Email in AWS Cognito #

When you use AWS Cognito and Amplify with Google OAuth user emails are not automatically verified.

In other words, the email_verified attribute is set to false for Google registered users.

We need users to verify their email, because otherwise we can't use the forgot password functionality. Which is very important in case you support cognito native email login and link the accounts.

In order to verify the emails of Google OAuth accounts in Cognito, we have to provide an attribute mapping between Google's email_verified attribute and Cognito's email_verified attribute.

After the email_verified attribute has been mapped between Google and Cognito, we can leverage the existing email_verified property on the user's Google account.

Here's how the attribute mapping looks in the AWS Console:

email verified mapping

The following snippet shows how to set the attribute mapping in AWS CDK:

this.identityProviderGoogle = new cognito.UserPoolIdentityProviderGoogle( this, 'userpool-identity-provider-google', { // ... other config attributeMapping: { email: { attributeName: cognito.ProviderAttribute.GOOGLE_EMAIL.attributeName, }, custom: { email_verified: cognito.ProviderAttribute.other('email_verified'), }, }, }, );

Discussion #

Once we map the email_verified attribute we can leverage the existing property on the user's google account.

The most intuitive way would be if the email_verified property of Google accounts were set to true by default, but that's currently not the case.

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee