[React Native - Auth] Sign in With Apple (SIWA) - Calling deleteUser does not clear your SIWA Account correctly.

[ChristopherGabba]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React Native

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

Amplify Gen 2

Environment information

  System:
    OS: macOS 14.6.1
    CPU: (10) arm64 Apple M2 Pro
    Memory: 73.59 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 23.4.0 - ~/.nvm/versions/node/v23.4.0/bin/node
    Yarn: 1.22.22 - /opt/homebrew/bin/yarn
    npm: 11.1.0 - ~/.nvm/versions/node/v23.4.0/bin/npm
    Watchman: 2024.12.02.00 - /opt/homebrew/bin/watchman
  Browsers:
    Safari: 17.6
  npmPackages:
    %name%:  0.1.0 
    @aws-amplify/backend: ^1.11.0 => 1.14.0 
    @aws-amplify/backend-cli: ^1.4.5 => 1.4.9 
    @aws-amplify/react-native: ^1.1.6 => 1.1.7 
    @aws-amplify/rtn-web-browser: ^1.1.1 => 1.1.1 
    @aws-appsync/utils: ^1.12.0 => 1.12.0 
    @aws-sdk/client-cognito-identity-provider: ^3.743.0 => 3.744.0 
    @aws-sdk/client-sso-oidc: ^3.716.0 => 3.744.0 (3.693.0, 3.637.0, 3.624.0, 3.621.0)
    @aws-sdk/client-sts: ^3.716.0 => 3.744.0 (3.693.0, 3.624.0, 3.621.0)
    @aws-sdk/types: ^3.714.0 => 3.734.0 (3.387.0, 3.398.0, 3.692.0, 3.609.0)
    @babel/core: ^7.20.0 => 7.26.8 
    @babel/plugin-proposal-export-namespace-from: ^7.18.9 => 7.18.9 
    @babel/plugin-proposal-optional-chaining: ^7.0.0 => 7.21.0 
    @babel/plugin-transform-arrow-functions: ^7.0.0 => 7.25.9 
    @babel/plugin-transform-nullish-coalescing-operator: ^7.0.0 => 7.26.6 
    @babel/plugin-transform-shorthand-properties: ^7.0.0 => 7.25.9 
    @babel/plugin-transform-template-literals: ^7.0.0 => 7.26.8 
    @babel/preset-env: ^7.20.0 => 7.26.8 
    @babel/runtime: ^7.20.0 => 7.26.7 
    @config-plugins/ffmpeg-kit-react-native: ^9.0.0 => 9.0.0 
    @expo-google-fonts/m-plus-1p: ^0.2.3 => 0.2.3 
    @expo-google-fonts/montserrat: ^0.2.3 => 0.2.3 
    @expo/config-plugins: ~9.0.14 => 9.0.15 
    @expo/metro-runtime: ~4.0.1 => 4.0.1 
    @gorhom/bottom-sheet: ^5.0.1 => 5.1.1 
    @react-native-async-storage/async-storage: 1.23.1 => 1.23.1 (1.24.0)
    @react-native-community/netinfo: 11.4.1 => 11.4.1 
    @react-native-menu/menu: ^1.1.0 => 1.2.2 
    @react-navigation/bottom-tabs: ^6.3.2 => 6.6.1 
    @react-navigation/native: ^6.0.2 => 6.1.18 
    @react-navigation/native-stack: ^6.0.2 => 6.11.0 
    @sentry/react-native: ~6.3.0 => 6.3.0 
    @shopify/flash-list: 1.7.1 => 1.7.1 
    @types/i18n-js: 3.8.2 => 3.8.2 
    @types/jest: ^29.2.1 => 29.5.14 
    @types/lodash.filter: ^4.6.9 => 4.6.9 
    @types/node: ^22.10.5 => 22.13.1 (20.17.17)
    @types/react: ~18.3.12 => 18.3.18 
    @types/react-test-renderer: ^18.0.0 => 18.3.1 
    @typescript-eslint/eslint-plugin: ^5.59.0 => 5.62.0 
    @typescript-eslint/parser: ^5.59.0 => 5.62.0 
    ContextAPIMixpanel:  0.0.1 
    MixpanelDemo:  0.0.1 
    SimpleMixpanel:  0.0.1 
    apisauce: 3.1.0 => 3.1.0 
    aws-amplify: ^6.11.0 => 6.12.3 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    aws-cdk: ^2.174.0 => 2.178.1 
    aws-cdk-lib: ^2.174.0 => 2.178.1 
    babel-jest: ^29.2.1 => 29.7.0 
    buffer: ^6.0.3 => 6.0.3 (4.9.2, 5.7.1)
    cheerio: 1.0.0-rc.12 => 1.0.0-rc.12 
    constructs: ^10.3.0 => 10.4.2 
    date-fns: ^4.1.0 => 4.1.0 
    esbuild: ^0.21.1 => 0.21.5 (0.23.1)
    eslint: 8.17.0 => 8.17.0 
    eslint-config-prettier: 9.1.0 => 9.1.0 
    eslint-config-standard: 17.0.0 => 17.0.0 
    eslint-plugin-import: 2.26.0 => 2.26.0 
    eslint-plugin-n: ^15.0.0 => 15.7.0 
    eslint-plugin-promise: 6.6.0 => 6.6.0 
    eslint-plugin-react: 7.37.3 => 7.37.3 
    eslint-plugin-react-native: 4.0.0 => 4.0.0 
    eslint-plugin-reactotron: ^0.1.2 => 0.1.6 
    expo: ~52.0.30 => 52.0.31 
    expo-application: ~6.0.2 => 6.0.2 
    expo-blur: ~14.0.3 => 14.0.3 
    expo-build-properties: ~0.13.2 => 0.13.2 
    expo-clipboard: ~7.0.1 => 7.0.1 
    expo-constants: ~17.0.5 => 17.0.5 
    expo-contacts: ~14.0.5 => 14.0.5 
    expo-dev-client: ~5.0.11 => 5.0.11 
    expo-device: ~7.0.2 => 7.0.2 
    expo-file-system: ~18.0.9 => 18.0.10 
    expo-font: ~13.0.3 => 13.0.3 
    expo-haptics: ~14.0.1 => 14.0.1 
    expo-image: ~2.0.4 => 2.0.4 
    expo-image-picker: ~16.0.5 => 16.0.5 
    expo-linear-gradient: ~14.0.2 => 14.0.2 
    expo-linking: ~7.0.5 => 7.0.5 
    expo-localization: ~16.0.1 => 16.0.1 
    expo-secure-store: ~14.0.1 => 14.0.1 
    expo-share-intent: ^3.2.0 => 3.2.1 
    expo-sharing: ~13.0.1 => 13.0.1 
    expo-splash-screen: ~0.29.21 => 0.29.21 
    expo-status-bar: ~2.0.1 => 2.0.1 
    expo-store-review: ~8.0.1 => 8.0.1 
    expo-updates: ~0.26.16 => 0.26.17 
    expo-video: ~2.0.5 => 2.0.5 
    expo-video-metadata: ^1.5.0 => 1.5.0 
    expo-video-thumbnails: ~9.0.3 => 9.0.3 
    ffmpeg-kit-react-native: ^6.0.2 => 6.0.2 
    i18n-js: 4.5.1 => 4.5.1 
    jest: ^29.2.1 => 29.7.0 
    jest-expo: ~52.0.3 => 52.0.3 
    libphonenumber-js: ^1.11.19 => 1.11.19 (1.9.47)
    libphonenumber-js-core:  undefined (1.0.0)
    libphonenumber-js-max:  undefined (1.0.0)
    libphonenumber-js-min:  undefined (1.0.0)
    libphonenumber-js-mobile:  undefined (1.0.0)
    libphonenumber-js/build:  undefined ()
    libphonenumber-js/core:  undefined ()
    libphonenumber-js/max:  undefined ()
    libphonenumber-js/max/metadata:  undefined ()
    libphonenumber-js/min:  undefined ()
    libphonenumber-js/min/metadata:  undefined ()
    libphonenumber-js/mobile:  undefined ()
    libphonenumber-js/mobile/examples:  undefined ()
    libphonenumber-js/mobile/metadata:  undefined ()
    lodash: ^4.17.21 => 4.17.21 
    lodash.filter: ^4.6.0 => 4.6.0 
    lottie-react-native: 7.1.0 => 7.1.0 
    mixpanel-react-native: ^3.0.2 => 3.0.8 
    mixpanelexpo:  1.0.0 
    mobx: 6.13.5 => 6.13.5 
    mobx-react-lite: 4.0.5 => 4.0.5 
    mobx-state-tree: 7.0.1 => 7.0.1 
    onesignal-expo-plugin: ^2.0.3 => 2.0.3 
    patch-package: 6.4.7 => 6.4.7 
    postinstall-prepare: 1.0.1 => 1.0.1 
    prettier: 2.8.8 => 2.8.8 (2.3.2, 1.19.1)
    react: 18.3.1 => 18.3.1 
    react-dom: 18.3.1 => 18.3.1 
    react-native: 0.76.6 => 0.76.6 
    react-native-blurhash: ^2.0.2 => 2.1.0 
    react-native-compressor: ^1.8.24 => 1.10.3 
    react-native-device-info: ^10.13.2 => 10.14.0 
    react-native-gesture-handler: ~2.20.2 => 2.20.2 
    react-native-get-random-values: ^1.11.0 => 1.11.0 
    react-native-ios-context-menu: 3.0.0 => 3.0.0 
    react-native-ios-utilities: 5.0.0 => 5.0.0 
    react-native-mime-types: ^2.5.0 => 2.5.0 
    react-native-mmkv: ^2.12.2 => 2.12.2 
    react-native-onesignal: ^5.2.5 => 5.2.8 
    react-native-reanimated: ~3.16.1 => 3.16.7 
    react-native-safe-area-context: 4.12.0 => 4.12.0 
    react-native-screens: ~4.4.0 => 4.4.0 
    react-native-static-safe-area-insets: ^2.2.0 => 2.2.0 
    react-native-url-polyfill: ^2.0.0 => 2.0.0 
    react-native-vision-camera: ^4.6.3 => 4.6.3 
    react-native-vision-camera-face-detector: ^1.7.2 => 1.8.1 
    react-native-volume-manager: ^2.0.7 => 2.0.8 
    react-native-webview: 13.12.5 => 13.12.5 
    react-native-worklets-core: ^1.5.0 => 1.5.0 
    react-native-youtube-iframe: ^2.3.0 => 2.3.0 
    react-test-renderer: 18.2.0 => 18.2.0 (18.3.1)
    reactotron-core-client: ^2.8.13 => 2.9.7 
    reactotron-mst: ^3.1.7 => 3.1.11 
    reactotron-react-js: ^3.3.11 => 3.3.16 
    reactotron-react-native: ^5.0.5 => 5.1.12 
    ts-jest: ^29.1.1 => 29.2.5 
    ts-node: ^10.9.2 => 10.9.2 
    tsx: ^4.9.4 => 4.19.2 
    typescript: ~5.3.3 => 5.3.3 (4.4.4, 4.9.5)
    uuid: ^11.0.5 => 11.0.5 (9.0.1, 8.3.2, 3.3.2, 7.0.3)
    zeego: ^1.10.0 => 1.10.0 
  npmGlobalPackages:
    corepack: 0.30.0
    eas-cli: 15.0.9
    npm: 11.1.0

Describe the bug

`

Expected behavior

Let's say I have a very simple app:
1 Sign in with apple button on the auth screens
2. A screen with a button that lets me delete the user using deleteUser on the main screens

The very first time I open my app, I tap the Sign in With Apple button, everything works and something like this pops up:

I correctly authenticate. I then say "eh I don't want an account" so I tap the Delete Account button that just calls deleteUser from amplify.

It correctly deletes my account from Cognito and sends me back to the Homescreen.

I then tap Sign in with Apple again but this time, Apple still thinks I have an account with the app and it looks like this now instead:

(sorry I can't take a screenshot, it won't let me)

I try to hit Sign in and it fails to create an account.

    "name": "OAuthSignInException",
    "recoverySuggestion": "Make sure Cognito Hosted UI has been configured correctly"

I have to go to my iPhone settings -> Account -> Sign in With Apple -> Remove my App manually.

Once this is done, it then Signs me up for an account correctly again.

Ideally this would be handled for me when I call deleteUser, or there would be a prop like so:

   deleteUser({
       resetWithSocialProvider: true // or something like this
   })

I understand that this is a pretty unique edge case but it does make it very annoying to keep testing Sign in With Apple because I have to keep going back and forth to settings.

Reproduction steps

See above.

Code Snippet

// amplify/auth/resource.ts
import { defineAuth, secret } from "@aws-amplify/backend"
import { blockDuplicateEmails } from "../functions/blockDuplicateEmails/resource"
/**
 * Define and configure your auth resource
 * @see https://docs.amplify.aws/gen2/build-a-backend/auth
 */
export const auth = defineAuth({
  loginWith: {
    email: {
      verificationEmailSubject: "Verify Your ReactApp Account",
      verificationEmailBody: (createCode: any) => `Your ReactApp verification code is: ${createCode()}`,
    },
    externalProviders: {
      signInWithApple: {
        clientId: secret("SIWA_CLIENT_ID"),
        keyId: secret("SIWA_KEY_ID"),
        privateKey: secret("SIWA_PRIVATE_KEY"),
        teamId: secret("SIWA_TEAM_ID"),
        attributeMapping: {
          email: "email",
          givenName: "firstName",
          familyName: "lastName",
          emailVerified: "email_verified"
        },
        scopes: ["email", "name"],
      },
      callbackUrls: ["reactapp://callback/"],
      logoutUrls: ["reactapp://signout/"],
    },
  },
  accountRecovery: "EMAIL_ONLY",
  userAttributes: {
    birthdate: {
      mutable: true,
      required: false,
    },
    phoneNumber: {
      mutable: true,
      required: false,
    },
    givenName: {
      mutable: true,
      required: true,
    },
    familyName: {
      mutable: true,
      required: true,
    },
    preferredUsername: {
      mutable: true,
      required: false,
    },
    profilePicture: {
      mutable: true,
      required: false,
    },
  },
  triggers: {
    preSignUp: blockDuplicateEmails
  }

// Client side login screen within the app
  async function signInWithApple() {
    try {
      await signInWithRedirect({
        provider: "Apple",
      })
    } catch (error) {
        console.log("GOOGLE SIGN IN ERROR", JSON.stringify(error, null, 4))
    }
  }

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

{
  "auth": {
    "user_pool_id": "XXXX",
    "aws_region": "us-east-1",
    "user_pool_client_id": "XXXX",
    "identity_pool_id": "XXXX",
    "mfa_methods": [],
    "standard_required_attributes": [
      "email",
      "given_name",
      "family_name"
    ],
    "username_attributes": [
      "email",
      "phone_number"
    ],
    "user_verification_types": [
      "email",
      "phone_number"
    ],
    "mfa_configuration": "NONE",
    "password_policy": {
      "min_length": 8,
      "require_lowercase": true,
      "require_numbers": true,
      "require_symbols": true,
      "require_uppercase": true
    },
    "oauth": {
      "identity_providers": [
        "GOOGLE",
        "SIGN_IN_WITH_APPLE"
      ],
      "redirect_sign_in_uri": [
        "reactapp://callback/"
      ],
      "redirect_sign_out_uri": [
        "reactapp://signout/"
      ],
      "response_type": "code",
      "scopes": [
        "phone",
        "email",
        "openid",
        "profile",
        "aws.cognito.signin.user.admin"
      ],
      "domain": "XXXX"
    },
    "unauthenticated_identities_enabled": true
  },
  
  "version": "1.1"
}

Additional configuration

No response

Mobile Device

iPhone12

Mobile Operating System

iOS18

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[HuiSF]

Hi @ChristopherGabba the Amplify JS deleteUser only take effects on Amplify and Amazon Cognito managed resources, it doesn't do anything that Apple owns. From my own experience (yes, I'm a iPhone user), when use Sign in with Apple, the logins retain unless you delete them from Apple's interface.

[ChristopherGabba]

I noticed there is an API here: https://developer.apple.com/documentation/signinwithapplerestapi/revoke_tokens , this would be kind of a pain to implement on the front end side given I don't have access to client secrets from amplify, etc. Is this something that could be handled on the backend?

[HuiSF]

Reading the description of that API, I don't it does what you expected though, it's specifically for revoking Apple issued access token with providing Apple issued refresh token. Which is not related to using Amazon Cognito while using sign-in with Apple as an identity provider.

[ChristopherGabba]

You are way more experienced than I am so I trust your judgement, but it seems like based off several threads that I've read that this is possible using this API from Apple Revoke Token Docs

Stack Overflow Articles:

• See Answer which references this article:
• See zangw's comment

I think this would be an awesome add to the Amplify API personally as it is definitely a pain to have to go back and forth between settings, but I obviously am just an end user. Would make account creation with Apple fully seamless from end to end. If you think this is not feasible (or just not possible), please feel free to just close issue! Thanks again for the great communication.

Just as a side note, to complete the token revocation with all social providers, Google sign in does appear to have a similar method and similarly Facebook: link

[HuiSF]

I'll bring this topic to the Amazon Cognito service team and hopefully to get some insights.

[HuiSF]

Sorry for the misunderstanding @ChristopherGabba I think you are right about the purpose of this Apple's endpoint.

I double checked with the Cognito service team, that the Cognito DeleteUser operation (the underlying service backing Amplify's deleteUser) doesn't do anything else other than deleting the user from the Cognito user pool at this moment. And it doesn't seem straightforward to add a function into the Amplify JS library to invoke Apple's endpoint, as the required parameters client_id, client_secret and Apple issued refresh_token are in accessible for the library from the client side.

I will mark this issue as a feature request for further investigation.

[ChristopherGabba]

@HuiSF Just a quick update, turns out there is a very similar issue with google sign in. If you delete your account and try to log back on, you get similar errors. You have to clear the app from your google sign in account. So this "bug" is probably present across all social providers.

[HuiSF]

Hey @ChristopherGabba what's the error you were seeing? When I was testing SIWA, even though the deleteUser call doesn't delete the Apple relay account, I can still use SIWA again with creating a new user in the user pool without any errors.

[ChristopherGabba]

After calling deleteUser after using SIWA or Google Sign in to create a new account, and trying to use that same service again (without clearing the associated credentials with the provider manually), as described above, my sign in fails. Somehow the provider thinks "we are just going to send the basic credentials because the user already has an account" and the client/cognito doesn't receive all the required attributes / credentials. As soon as the user clears the app from their sign in provider (via SIWA settings or google sign in history), calling signInWithRedirect works again as designed.

Somehow the provider is not sending all the required Cognito data for a new sign up unless they also think it's a new sign up?

As referenced above in the pictures, the sign in screen is almost different altogether for SIWA when it thinks the user already exists.

Here is my auth setting (maybe this can help you reproduce):

import { defineAuth, secret } from "@aws-amplify/backend"
import { blockDuplicateEmails } from "../functions/blockDuplicateEmails/resource"
/**
* Define and configure your auth resource
* @see https://docs.amplify.aws/gen2/build-a-backend/auth
*/
export const auth = defineAuth({
 loginWith: {
   email: {
     verificationEmailSubject: "Verify Your ReactApp Account",
     verificationEmailBody: (createCode: any) => `Your ReactApp verification code is: ${createCode()}`,
   },
   phone: {
     verificationMessage: (createCode) =>
       `Use this code to confirm your ReactApp account: ${createCode()}`,
   },
   externalProviders: {
     google: {
       clientId: secret("GOOGLE_CLIENT_ID"),
       clientSecret: secret("GOOGLE_CLIENT_SECRET"),
       attributeMapping: {
         email: "email",
         emailVerified: "email_verified",
         familyName: "family_name",
         givenName: "given_name",
         phoneNumber: "phone_number",
       },
       scopes: ["email", "openid", "profile", "phone"],
     },
     signInWithApple: {
       clientId: secret("SIWA_CLIENT_ID"),
       keyId: secret("SIWA_KEY_ID"),
       privateKey: secret("SIWA_PRIVATE_KEY"),
       teamId: secret("SIWA_TEAM_ID"),
       attributeMapping: {
         email: "email",
         givenName: "firstName",
         familyName: "lastName",
         emailVerified: "email_verified"
       },
       scopes: ["email", "name"],
     },
     callbackUrls: ["reactapp://callback/"],
     logoutUrls: ["reactapp://signout/"],
   },
 },
 accountRecovery: "EMAIL_ONLY",
 userAttributes: {
   birthdate: {
     mutable: true,
     required: false,
   },
   phoneNumber: {
     mutable: true,
     required: false,
   },
   givenName: {
     mutable: true,
     required: false,
   },
   familyName: {
     mutable: true,
     required: false,
   },
   preferredUsername: {
     mutable: true,
     required: false,
   },
   profilePicture: {
     mutable: true,
     required: false,
   },
 },
 triggers: {
   preSignUp: blockDuplicateEmails
 }
})

I think a lot of this just loops back to the fact that if deleteUser could properly remove the app from the sign in provider (go full circle), all the problems would be solved. I have 5 test users so far on my app, and 3 have tested the deleteUser stuff and every one has experienced the same thing.

[HuiSF]

Oh sorry I missed out the original error description for some reason. The error message is library specific though when something went wrong opening the WebView for signing in, and I don't think it's related to Cognito doesn't clear the relay accounts created from the provider.

@ChristopherGabba Could you not using the JSON.stringify(), but just console.log(error) to print the actual error message see what's going on?

Also can you confirm, after you called deleteUser() API, did it open the WebView quickly for signing out the deleted user?

[ChristopherGabba]

@HuiSF , to answer your second question, yes, calling deleteUser always presents a webview. I think I figured out where this problem was originating. Previously I had firstName and lastName as a required attribute, but I had to turn them as required: false when I found a bug where if someone didn't have a lastName on their Google account, it would reject the sign in.

As it turns out, the first time you create an account with SIWA, it always provides the first and last name and maps it correctly to Cognito. After you delete your account and re-sign up (with out clearing SIWA in the apple settings), the firstName and lastName attributes are no longer provided by SIWA. When I turn firstName and lastName as not required, this no longer fails sign up anymore. Seems like you guys specifically mention this in the docs, but it's basically just a warning.

I would almost go as far to say that the amplify build process should generate an error saying that attributes must be set to not required when social providers are provided, especially if deleteUser doesn't properly revoke the tokens from the provider. Or at least make the message more of a directive in the docs like so:

"If you are using social providers with Cognito, its necessary to set all attributes to required: false to prevent log in errors. For example, Google accounts are not always associated with names, and SIWA sign ups often do not provide names at all. If you want given_name or family_name to be required, then you must set them to required: false and account for them in your authentication flow."

I'd also like to add some small feedback that tripped me up in the resource.ts for auth. The scopes directive under each auth field are NOT type-safe, but the overall scopes field that accompanies all providers IS type-safe. This made me configure auth incorrectly several times until I got the scopes correctly written. Probably wouldn't hurt to make those type safe as well to prevent errors, and make them type safe specific to that provider (for example - "OPENID" should not be there under SIWA, just Google). That or include all the attributes within the docs and show how they map to Cognito to not let the developer have to guess.

Right now, the docs don't show all the attribute mappings available, so it leaves it up to the devs using amplify to kinda dig into and find out, which really isn't too necessary.

Additionally, the attribute mapping is not type-safe either. I basically had to guess as to the proper attribute mapping (with underscores, etc.) until it worked. I feel like that could be improved upon as well by making each attribute type safe.

All these improvements would have probably saved me several hours to a full day of experimenting.

I know some of these are unrelated to the issue, but felt like I needed a good place to include them.

[jjarvisp]

@ChristopherGabba thank you for the detailed analysis. We will take your suggestions for documentation improvements as an action item. Regarding the DX / type safety improvements, We'd recommend opening a feature request against the amplify-backend repository as they'd be able to provide direct support here with the attribute mapping.