We're using Cognito. All is well. I added a user using the AdminCreateUser API, and they received their temporary password. Unfortunately they waited over a month to login, and now when they try to login with their temporary password, Cognito returns this error:
User account has expired, it must be reset by an administrator.
How do I do that? I don't see any reset button in the Cognito UI. Is there a CLI or API that I can call?
The commands admin-reset-user-password and admin-enable-user do not work for an expired user.
The way you reset an expired user is to call admin-create-user again with the parameter MessageAction value = 'RESEND'
For example via CLI command:
aws cognito-idp admin-create-user --region us-east-1 --user-pool-id us-east-1_youruserpoolid --username theusername --message-action RESEND
From the documentation:
"Set to 'RESEND' to resend the invitation message to a user that
already exists and reset the expiration limit on the user's account."
Once you have reset the user, the user will need to change the temporary password otherwise they will be put back into this state again once they have exceeded the expiration time period (by default 7 days according to AWS documentation).
Related
I am following this tutorial (so i am a newbe)
i have set up my cognito user pool. (of course if the tutorial is 1 month old it is out of date)
now i am trying to a user via the CLI
aws cognito-idp sign-up \
--region us-east-1 \
--client-id <CLIENTID> \
--username randy#mydomain.com \
--password password
And I get the error
An error occurred (NotAuthorizedException) when calling the SignUp operation: Client is configured for secret but secret was not received
Not sure what to change.
Thanks for any help
You need to recreate cognito user Pool, uncheck "create secret" and add allowed domain 'http://localhost' if you are in local or add you domain. This work for me !
I use AWS Cognito as the authentication provider in a React application. I noticed an issue with the Reset Password flow:
Imagine I forget my password and request a password reset. Cognito sends me an email with a security code. Then, I remember the password and don't want to change it any more. I can't because even if I log in with the correct password, it still sends me to the Set New Password page. It seems like a security concern because anyone can force other users to reset their password as long as they know their email address.
Is that by design in Cognito or is it a bug in my use of Cognito?
You will want to verify how the forgot password/authentication flow have been implemented within your app. The Reset Password page should not send the NEW_PASSWORD_REQUIRED MFA challenge, nor change the user's status to need a new password in the user pool.
The ForgotPassword API call generates the reset code for the user, whereas the ConfirmForgotPassword API call accepts the code and allows the user to change the password. These API calls do not change the user's status for resetting their password, or create the NEW_PASSWORD_REQUIRED MFA challenge.
For completeness, there is no way to cancel the password reset code once it's been sent out. The code is valid for 24 hours, although sending another code will invalidate the first.
I have an unconfirmed aws cognito user which did not verify his email during registration process. When he tries to login with following code:
Auth.signIn({
username:email,
password:password,
})
the API returns
'UserNotConfirmedException'
Now at this point the user is unauthenticated, there is no current session or current user. How will this user be able to verify himself and get himself logged in?
'verifyCurrentUserAttribute' and 'resendSignUp' APIs do not work for unauthenticated user.
Please help.
Late response but just saw this: The Auth.resendSignUp(<username>) does not need an authenticated user and is suited for this purpose. It accepts a username parameter as a string and when called will send a new code to the method configured in Cognito.
The right API endpoint for confirming a signup is confirmsignup
see : https://aws-amplify.github.io/amplify-js/api/classes/authclass.html#confirmsignup
This entpoint requires an email address and the code. The user can thereby confirm his signup later with the code he has received.
I'm using the AWS CLI to enable a MFA user pool with only TOTP MFA (no SMS).
aws cognito-idp set-user-pool-mfa-config --user-pool-id xxxx_xxxx --mfa-configuration OPTIONAL --software-token-mfa-configuration Enabled=true
{
"SoftwareTokenMfaConfiguration": {
"Enabled": true
},
"MfaConfiguration": "OPTIONAL"
}
Seems okay, right?
But when I try to set up an user preference I keep getting this error:
An error occurred (InvalidParameterException) when calling the AdminSetUserMFAPreference operation: User has not set up software token mfa
Command:
aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxx_xxxx --username username#email.com --software-token-mfa-settings Enabled=true
Tryin to use admin-set-user-preference also doesn't work:
aws cognito-idp admin-set-user-settings --user-pool-id us-xxxx-xxxx--username username#email.com --mfa-option DeliveryMedium=EMAIL
An error occurred (InvalidParameterException) when calling the AdminSetUserSettings operation: Only phone_number attribute is currently supported as a MFA option.
What am I missing? Does it need an extra configuration not mentioned anywhere in documentation?
Solution:
First you need to get the ACCESS_TOKEN for the user and proceed to start the TOTP process:
aws cognito-idp associate-software-token --access-token ACCESS_TOKEN
(this will generate a unique code that you could use in Google Authenticator)
With the TOTP code retrieved from the Authenticator app run:
aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code USER_CODE
With the successfull message from the previous command you can change the user preference:
aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxxx --username xxxxxxx --software-token-mfa-settings Enabled=True,PreferredMfa=True
Solution:
First you need to get the ACCESS_TOKEN for the user and proceed to start the TOTP process:
aws cognito-idp associate-software-token --access-token ACCESS_TOKEN
(this will generate a unique code that you could use in Google Authenticator)
With the TOTP code retrieved from the Authenticator app run:
aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code USER_CODE
With the successfull message from the previous command you can change the user preference:
aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxxx --username xxxxxxx --software-token-mfa-settings Enabled=True,PreferredMfa=True
To setup the TOTP for user you have to call the AWS Cognito APIs in the following order
Associate Software Token
Verify Software Token
Set User MFA Preference
The associate software token will give you an SecretCode which you will convert to a QR either so that user can scan it with an authenticator app. Then you will call the verify software token and pass it the code generated by the authenticator app. And finally you will enable the MFA by calling the set user preference API. And voila.
If a user provides both an email and phone, I need to require both to be verified. It looks like there isn't a way to do this without extra steps as described here
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html
Is there a way to require both verifications?
Currently it looks like I have to wait for phone number to be verified, verify phoneNumbber first. After that call initiateAuth to get an access token to retrieve the userInfo and check if email needs verification, and send verification code out. From testing I saw that email verification does not block the initiateAuth request so a getUser request would need to be made before every initiateAuth request to see if verification is needed and not return an access token if email still needs verification.
I am on the Cognito team. The scenario described is not possible at this point (requiring email and phone number verification before sign in). If both phone number and email require verification, if a phone number is present in the user attributes, the verification code is sent to the phone number, it is prioritized. Also, the calls to verifyUserAttribute which would enable you to verify email require an AccessToken to mark email as verified.
Unfortunatelly, Cognito will only send you an email verification link if you do not provide a phone number when registering. If you provide an empty phone number property value, and a valid email address, in this case it'll send the email.
This is really awful, because SMS messages sometimes don't reach the endpoint in real time.
If you want to verify the two contact methods in the registration flow for example, you could do this (you must have your own otp verification flow for example):
Create the user with admin powers without notifying the user of the registration
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-create-user.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
aws cognito-idp admin-create-user --user-pool-id us-east-2_fggdfg --username 117979111 --user-attributes Name=email,Value=calderonr.robinson#gmail.com Name=phone_number,Value="+5732085654" Name=custom:id,Value="1179791" Name=name,Value="Robinson C" --message-action SUPPRESS
(This can be programmed after the otp verification that you develop)
Then assign the password to be confirmed
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-set-user-password.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html
aws cognito-idp admin-set-user-password --user-pool-id us-east-2_fggdfg --username 117979111 --password "loquesea" --permanent
Assigns as true the contact method that was verifying
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-update-user-attributes.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
aws cognito-idp admin-update-user-attributes --user-pool-id us-east-2_fggdfg --username 117979111 --user-attributes Name="email_verified",Value="true"
You can do all this perfectly with the aws SDK 2