I want to implement reset password functionality in Amazon Cognito. I am using login name to sign in cognito account. As cognito sends verification code via email or phone and i am not using these fields in user details. How i can implement reset password in case of login name?
You need either an email id or a phone number to reset user password. Both forgot password and admin reset password use the same flow which will throw an invalid parameter error if neither verified phone or email address is registered for the user.
Related
Here I'm using keycloak for the user management of my website. I want to send a password reset email once the keycloak super admin creates a user account. The email reset password link should route to my own website reset password page (Not to keycloak reset password page).
I'm done with up to here.
The issue is when sending the password reset request, expected following values...
session_code: xxxx
execution: UPDATE_PASSWORD
client_id: client-id
tab_id: xxxxxxxx
How can I get session_code and tab_id to create a reset password request from my own website?
I tried with decoding the key that comes with the email link. but couldn't find a way.
We have a web app (SPA Angular app talking to a .Net Core Web API) which uses Auth0 as the authentication server.
Now, I'm not sure if this would be an "invite flow" or "invite-only flow", or something else, but basically, a user will go to our web app, and create an account on our system. Our API then creates an Auth0 account for this user using the Auth0 Management API. This user is then considered the Administrator. She can then create as many users as she wants for her staff. For each user she creates, our API creates an Auth0 user using the Management API.
Since, as far as I'm aware, a user must be assigned a password at the moment of creation (i.e. you cannot create a user without a password), the administrator must pick a password for each user she creates.
Additionally, each time a user is created, Auth0 automatically sends out an email to that user asking them to verify their email address. When the user follows this link, it takes them to the Auth0 login screen where they have to fill in their email address and password.
My problem is that, unless the administrator tells them what password she picked for them, there's no way of them knowing.
My question is: is there a way to defer picking a password until the user logs in for the first time? So, when the administrator creates the user, she doesn't pick a password. Then, upon the user's first login, they pick their own password.
Alternatively, if a password MUST be set at the moment of creating the user, could this password be displayed to the user in the email verification email? I would essentially treat this as a temporary password, as I would also require the user to change their password upon first logon in this case.,
Thanks
I use AWS Cognito as the authentication provider in a React application. I noticed an issue with the Reset Password flow:
Imagine I forget my password and request a password reset. Cognito sends me an email with a security code. Then, I remember the password and don't want to change it any more. I can't because even if I log in with the correct password, it still sends me to the Set New Password page. It seems like a security concern because anyone can force other users to reset their password as long as they know their email address.
Is that by design in Cognito or is it a bug in my use of Cognito?
You will want to verify how the forgot password/authentication flow have been implemented within your app. The Reset Password page should not send the NEW_PASSWORD_REQUIRED MFA challenge, nor change the user's status to need a new password in the user pool.
The ForgotPassword API call generates the reset code for the user, whereas the ConfirmForgotPassword API call accepts the code and allows the user to change the password. These API calls do not change the user's status for resetting their password, or create the NEW_PASSWORD_REQUIRED MFA challenge.
For completeness, there is no way to cancel the password reset code once it's been sent out. The code is valid for 24 hours, although sending another code will invalidate the first.
If a user provides both an email and phone, I need to require both to be verified. It looks like there isn't a way to do this without extra steps as described here
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html
Is there a way to require both verifications?
Currently it looks like I have to wait for phone number to be verified, verify phoneNumbber first. After that call initiateAuth to get an access token to retrieve the userInfo and check if email needs verification, and send verification code out. From testing I saw that email verification does not block the initiateAuth request so a getUser request would need to be made before every initiateAuth request to see if verification is needed and not return an access token if email still needs verification.
I am on the Cognito team. The scenario described is not possible at this point (requiring email and phone number verification before sign in). If both phone number and email require verification, if a phone number is present in the user attributes, the verification code is sent to the phone number, it is prioritized. Also, the calls to verifyUserAttribute which would enable you to verify email require an AccessToken to mark email as verified.
Unfortunatelly, Cognito will only send you an email verification link if you do not provide a phone number when registering. If you provide an empty phone number property value, and a valid email address, in this case it'll send the email.
This is really awful, because SMS messages sometimes don't reach the endpoint in real time.
If you want to verify the two contact methods in the registration flow for example, you could do this (you must have your own otp verification flow for example):
Create the user with admin powers without notifying the user of the registration
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-create-user.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
aws cognito-idp admin-create-user --user-pool-id us-east-2_fggdfg --username 117979111 --user-attributes Name=email,Value=calderonr.robinson#gmail.com Name=phone_number,Value="+5732085654" Name=custom:id,Value="1179791" Name=name,Value="Robinson C" --message-action SUPPRESS
(This can be programmed after the otp verification that you develop)
Then assign the password to be confirmed
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-set-user-password.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html
aws cognito-idp admin-set-user-password --user-pool-id us-east-2_fggdfg --username 117979111 --password "loquesea" --permanent
Assigns as true the contact method that was verifying
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-update-user-attributes.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
aws cognito-idp admin-update-user-attributes --user-pool-id us-east-2_fggdfg --username 117979111 --user-attributes Name="email_verified",Value="true"
You can do all this perfectly with the aws SDK 2
Here is my scenario, if user sign in with google provider first in my web application following after sometimes the same user may try to login in using facebook provider, now if the user's facebook provider email id matches with the previous google provider mail id in firebase, it will throw error like "account-exists-with-different-credential" in this case firebase will give us the facebook provider email id and instructed us to get the "Asks the user his password." what password will I ask them, if user have to enter the Gmail password will user enter their Gmail password in third party's site
In your case, you will also get an email and credential object(facebook credential) in the auth/account-exists-with-different-credential error thrown (error.credential and error.email). You then can call
auth.fetchProvidersForEmail(error.email)
to get the list of existing providers that correspond to that email. In this case you will get an array ['google.com']. Using one of these providers, you sign in the user to that provider.
auth.signInWithPopup(new firebase.auth.GoogleAuthProvider());
You can also set login-hint: error.email as a custom OAuth parameter on the google provider.
After that user is signed in. You then link the previous facebook credential to that user:
currentUser.link(error.credential);
You will now have that facebook account linked to the existing google account. The next time the user tries to login via facebook, the error won't be thrown again.