I use cognito as rest api, but when I create user in cognito, so I create an API for FE to send to BE, then BE will use Cognito and send to it
When I use signup function, it run ok but it send a code to email
When I use adminCreateUser, it return "MissingAuthenticationTokenException", msg "Missing Authentication Token", although I set "credentials" true and false, please help me
My expectation is sending an email code when user login and not send when admin create user, and send mail code could be turned on/off by code
Related
We are trying FusionAuth & looking to have a single step flow for Sign up + Sign In.
After user signs up, we want to show/land him directly to our application's dashboard page (without showing him login page in between the flow). The authentication should happen but internally i.e we are expecting OAuth2 standard IdToken in response to "WebApplication" so that web application can use IdToken to allow user to application.
Please note that we don't want to use approaches where we need to pass Username/password to our web application, don't want to handle user credentials. Also that we dont want to use Authentication Tokens returned in Registration flow because AuthenticationTokens are not that secure, looking to use OAuth2 based IdToken instead.
I have came across this post "https://fusionauth.io/community/forum/topic/165/taking-a-user-directly-to-the-registration-page/3" and tried following request, but it is showing Login page instead of registration.
/oauth2/register?client_id=<Configured_client_id>&redirect_uri=<Configured_redirect_uri>&response_type=code
(I have not used CSRF parameter though)
Please can you suggest why its showing Login Page?
You should be able to have a user register and be sent directly to your application, as long as you set the correct redirect_uri and put that on the registration URL:
https://local.fusionauth.io/oauth2/register?client_id=c50329fa-93e5-4618-8d9f-73d0ab069a23&response_type=code&redirect_uri=https%3A%2F%2Fapp.example.com%2F
The application will then receive a code that can be exchanged for an access token. You can call the userinfo endpoint with that token and get user information like email address, etc.
What you won't get that it seems like you might want is an id token. For that you'll have to send the user through the login process with a scope of profile. However, you could mind your own 'id token'-lite using the values from the userinfo endpoint and the JWT vending: https://fusionauth.io/docs/v1/tech/apis/jwt/#vend-a-jwt
I have auth0 setup to send a Verification Email (using Link) and a redirect URL - http://localhost:3000/app/registration
When I create a user it’s working and they get the email, and it redirects with this URL:
http://localhost:3000/app/registration?supportSignUp=true&supportForgotPassword=true&message=Your%20email%20was%20verified.%20You%20can%20continue%20using%20the%20application.&success=true&code=success#
The problem is: according to this link, it should include the email address of the registered user; however, it is not. Is there a reason for this? If I could simply pass the email, I could make an API call and complete the registration process through the auth0 API.
My intention is to send the user to a special registration page on my single page application site where they can finish the registration process and set their password. Any help with this would be appreciated - thanks!
I use AWS Cognito as the authentication provider in a React application. I noticed an issue with the Reset Password flow:
Imagine I forget my password and request a password reset. Cognito sends me an email with a security code. Then, I remember the password and don't want to change it any more. I can't because even if I log in with the correct password, it still sends me to the Set New Password page. It seems like a security concern because anyone can force other users to reset their password as long as they know their email address.
Is that by design in Cognito or is it a bug in my use of Cognito?
You will want to verify how the forgot password/authentication flow have been implemented within your app. The Reset Password page should not send the NEW_PASSWORD_REQUIRED MFA challenge, nor change the user's status to need a new password in the user pool.
The ForgotPassword API call generates the reset code for the user, whereas the ConfirmForgotPassword API call accepts the code and allows the user to change the password. These API calls do not change the user's status for resetting their password, or create the NEW_PASSWORD_REQUIRED MFA challenge.
For completeness, there is no way to cancel the password reset code once it's been sent out. The code is valid for 24 hours, although sending another code will invalidate the first.
I have an unconfirmed aws cognito user which did not verify his email during registration process. When he tries to login with following code:
Auth.signIn({
username:email,
password:password,
})
the API returns
'UserNotConfirmedException'
Now at this point the user is unauthenticated, there is no current session or current user. How will this user be able to verify himself and get himself logged in?
'verifyCurrentUserAttribute' and 'resendSignUp' APIs do not work for unauthenticated user.
Please help.
Late response but just saw this: The Auth.resendSignUp(<username>) does not need an authenticated user and is suited for this purpose. It accepts a username parameter as a string and when called will send a new code to the method configured in Cognito.
The right API endpoint for confirming a signup is confirmsignup
see : https://aws-amplify.github.io/amplify-js/api/classes/authclass.html#confirmsignup
This entpoint requires an email address and the code. The user can thereby confirm his signup later with the code he has received.
Until yesterday I was using the default mechanism of sending mails like "verify mail" or "forgot password mail". These mails have specials tokens included inside the mail. Both of these endpoint also returns tokens in the response body.
I am now changing the way of sending mails in my application and I want to do it with a separate service. So to activate my users or change their password I need these tokens, but I dont want FusionAuth to send emails. When disabling "verify mails" or "forgot password", calling these endpoints results in a 403. Is there a way to get this tokens without starting the process of sending a mail by FusionAuth ?
The workaround is to add a fake host to the mail config. But it isn't the best idea since I see then an error in logs when generating tokens.
You can use the /api/user/forgot-password API and set sendForgotPasswordEmail to false.
In the Forgot Password API it is the second example :
Start the forgot password workflow using an API key
This will create you a token and will not send the email. You can then build the link yourself and send the email through an external service.