How to Verify a Google OAuth Email in AWS Cognito


Borislav Hadzhiev

Last updated: Apr 21, 2021


Check out my new book

Verifying a Google OAuth Email in AWS Cognito #

When you use AWS Cognito and Amplify with Google OAuth user emails are not automatically verified.

In other words, the email_verified attribute is set to false for Google registered users.

We need users to verify their email because otherwise we can't use the forgot password functionality. Which is very important in case you support cognito native email login and link the accounts.

In order to verify the emails of Google OAuth accounts in Cognito, we have to provide an attribute mapping between Google's email_verified attribute and Cognito's email_verified attribute.

After the email_verified attribute has been mapped between Google and Cognito, we can leverage the existing email_verified property on the user's Google account.

Here's how the attribute mapping looks in the AWS Console:

email verified mapping

The following snippet shows how to set the attribute mapping in AWS CDK:

this.identityProviderGoogle = new cognito.UserPoolIdentityProviderGoogle( this, 'userpool-identity-provider-google', { // ... other config attributeMapping: { email: { attributeName: cognito.ProviderAttribute.GOOGLE_EMAIL.attributeName, }, custom: { email_verified: cognito.ProviderAttribute.other('email_verified'), }, }, }, );

Discussion #

Once we map the email_verified attribute we can leverage the existing property on the user's google account.

The most intuitive way would be if the email_verified property of Google accounts were set to true by default, but that's currently not the case.

Further Reading #

Use the search field on my Home Page to filter through my more than 3,000 articles.