My cognito setup allows singin/singup from multiple openid identity providers (like google, facebook....). There is pre-signup lambda that is responsible for linking user accounts by email match. In fact this lambda on signup via some identity provider creates native cognito user (if it's not already there) and links external identity to that native user (AdminLinkProviderForUser) (similar to this). Some providers we support expose some extra attributes apart from standard ones like email, so this lambda also merges pieces of information from all providers into single cognito native account.
As I need data captured from external providers in my api backend, I'm looking to find a way to replicate data from cognito user pool. As some external providers expose mutable data on their end data in cognito might also change on every login. So I was considering pre/post-auth lambda triggers to make a patch call to my api to update changed attributes.
Unfortunately pre/post auth labmdas aren't getting called all the time (invocations are almost random). Enabling PreventUserExistenceErrors as per docs doesn't help.
So my questions are:
- In what circumstances pre/post-auth lambdas are getting called (I struggle to understand when, seem almost random)
- Does anyone tried to implement replication mechanism similar to what I've described? what was the technical decision/approach to implement this?