As you may know, there is a known issue that if you call AdminLinkProviderForUser API from PreSignUp lambda trigger to link a federated identity to an existing Cognito user, user federation fails in the first call. The follow up sign-in for the same user would be fine and return the linked user’s tokens or code.

There is a workaround that is about to re-initiate the flow using a custom app. Since the linking of the users is successful, the custom app should be able to catch the error by capturing the “error” and “error_description” query parameters. If the error matches the one that this issue generates, the custom app can then redirect the browser back to the /oauth2/authorize endpoint with the “identity_provider” query parameter set to the social IdP. As the user would have already been authenticated with the provider and the login would be cached, the rest of the OAuth redirection should happen automatically and the user would be issued tokens.

Please note this workaround should work in theory and should be fully tested in your environment due to the day-to-day updates of AWS.

Good luck!