Hi all,

we have an application that uses mixed authentication :

• Azure AD for the CMS side of things
• AWS Cognito for the public facing website. It is configured so it can manage users from :
  • its own user pool
  • Google
  • Facebook

That is all working fine. For Cognito, we use emails as usernames, by specifing the NameClaimType to be ClaimTypes.Email.

A new requirement has arrived, we need to support Apple Id. Integration with Cognito is quite easy and fairly similar to the other providers.

BUT, the Apple Signin allows the user to choose between :

• sharing his email
• hiding his email, and use a apple generated email, something like xxxRandomxxx (at) privaterelay. appleid .com

Which means that if a user logs in with the first option and later logs in with the other option, although Cognito has only one record for that user, when it comes to login on to the website, two records are created, one for each email (the real one, and the generated one)

That makes sense as we use emails as usernames, and that when the security token from Cognito is validated, we run the following :

ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ctx.AuthenticationTicket.Identity);

When decompiling the code, i can see that it uses the username property to find the correct user in the tblSynchedUser table, using the netSynchedUserInsertOrUpdate stored procedure.

I guess I need to implement a custom ISynchronizingUserService, so that in case of an apple user, it could check another property than username to find the correct user (for instance cognito sends an UserId in the claims that is the same regardless of which email option is chosen by the user).

I am a bit lost on how to do this, especially if i need to add some stored proc, as we are hosted on DXC-S, and have no access to the DB.

Thanks for your time reading, let me know if there is anyhting unclear.