0

The AWS documentation for JS SDK says:

Force Change Password The user account is confirmed and the user can sign in using a temporary password, but on first sign-in, the user must change his or her password to a new value before doing anything else.

User accounts that are created by an administrator or developer start in this state.

But if for such a user I try to call forgotPassword method of SDK, it errors saying something like: Password cannot be reset in the current state.

SO how can I complete the registration of a user (created by admin in IAM) from my website. Which is the SDK method that should be called ?

Saurabh Tiwari
  • 3,364
  • 4
  • 31
  • 64
  • `change_password(**kwargs) Changes the password of the IAM user who is calling this operation. The AWS account root user password is not affected by this operation. To change the password for a different user, see UpdateLoginProfile . For more information about modifying passwords, see Managing Passwords in the IAM User Guide .` – error404 Nov 08 '19 at 11:22
  • From the AWS docs: change_password method apparently works only for the authenticated users not for the first time users. – Saurabh Tiwari Nov 08 '19 at 11:24
  • Ah, yes...https://stackoverflow.com/questions/40287012/how-to-change-user-status-force-change-password – error404 Nov 08 '19 at 11:28
  • I have been through this thread. So does this mean, there is no way to approve the registration of a user without cli. If the admin creates a user only he can confirm the user. Seems weird. Isn't it ? – Saurabh Tiwari Nov 08 '19 at 11:34
  • yes, it seems that way. no direct way at least to authenticate the user. Although I can see feature request raised to aws for this. I will try to get more info. – error404 Nov 08 '19 at 12:19

2 Answers2

0

Setting up an Auto Verify Lambda Trigger on the Pre Sign Up Trigger will allow for the user to be a confirmed state, which may get you to the point you are looking for?

Lambda -> Node.js

Give it an appropriate Title

Place the below value in the code:

exports.handler = (event, context, callback) => {

    // Confirm the user
    event.response.autoConfirmUser = true;

    // Set the email as verified if it is in the request
    if (event.request.userAttributes.hasOwnProperty("email")) {
        event.response.autoVerifyEmail = true;
    }

    // Return to Amazon Cognito
    callback(null, event);
};

Save

Then Select newly created trigger in General Settings -> Triggers -> Pre sign-up

Dan
  • 371
  • 1
  • 9
0

We can do this,

  • I previously answered mongodb to aws cogniton migration question.
  • Go through step by step. I explained that the user's created by admin need to change the password(forgot password) but there's still another way to do it. Checkout my answer,

Some content from my answer,

AdminCreateUser:

  • Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API. Specify the temporary password or allow Amazon Cognito to automatically generate one.

  • Specify whether provided email addresses and phone numbers are marked as verified for new users. Specify custom SMS and email invitation messages for new users via the AWS Management Console.

  • Specify whether invitation messages are sent via SMS, email, or both.

After successful user creation,

  • authenticate user using same user credentials Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)

  • After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.

  • Use RespondToAuthChallenge(Username, , PASSWORD_VERIFIER)

  • Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.

  • The user is prompted and enters a new password and any missing values for required attributes.

  • Call RespondToAuthChallenge(Username, , ).

  • After successful password change user can be able to login using same credentials which admin created.

Refer: Unable to confirm the user registration via aws

Nikhil Kadam
  • 101
  • 5