I changed Cognito User group policy so that new user can't confirm himself. This leaves new account unconfirmed and email not verified.
After registration this causes error message "An error was encountured with the requested page.".
Is it possible to customize this Cognito hosted UI error messages?
In my case this specific error should be changed to something like: "Your new user account is registered and waiting to be confirmed. You will get an email from administrator later.".
Message customization has been asked some years ago without an answer:
How can I customize AWS Cognito default confim message?
Related
We have AWS Api Gateway with developer portal. At this moment API developers can sign-up themselves to create a new user account to Cognito. AWS Cognito supports self-service sign-up and an invite mode. In self-service user can confirm account via email/phone. According Cognito documentation (https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html) this confirmation process is illustrated that confirmation can be admin confirmation Or Confirm via email/phone.
What we need is both combined. Registration have to be easy and verify users email, but ultimately admin makes decision if user will be allowed to get API Key and sign in Developer Portal . Process I have in mind;
First user registrates himself as a self-service confirmation via email, and after that account should be on hold unconfirmed state waiting for admin confirmation. Ideally Cognito will have an alarm to notify admin that there is new registration in queue waiting for admin confirmation.
Is this possible?
User Sign up ==> Account is auto confirmed ==> a custom email is send to email to verify email ==> user can login without verifying email since its account is already confirmed.
When user click on the link his email is verified.
Above is the user signup flow that I want. Till now, I'm verifiying the account by trigger a lambda in cognito's presignup trigger. However, using this way, email is not triggered. So I'm verifying account from signup lambda itself using adminConfirmSignup method. Now we user click on link, we get error that account is already verified, but I want its email to be verified whne the link is clicked.
My Current Solution:
Confirm the user account by adminConfirmSignup, and send the api gateway link contains username / client_id / confirmation code instead of default link. The Api gateway will point to a lambda where I'll confirm the code and update the user'email attribute, but how can I verify the confirmation_code?
Is there any other solution available?
Also the custom email that is being send to the user, I'm including a button and a click eventlistener in it, event listener seems to be not working. Any reason?
We have an application using AWS Cognito (+ hosted web UI) where users are only created by administrators. MFA with SMS is required. This is our current flow for new users:
Admin creates a new user using AdminCreateUser of aws-sdk. Email, name and phone number are given.
A new account is created with FORCE_CHANGE_PASSWORD status. Username and a temporary password are sent to the user via email.
User signs in for the first time with the temporary password.
Cognito asks for a new password.
User sets their new password and proceeds to log in.
MFA code is sent to user via SMS. However, Cognito does not ask for the MFA code. User simply gets logged in. Account status is now CONFIRMED but phone_number_verified is not set.
However, the MFA challenge works fine starting from the second login. In other words, user's phone number only gets verified if they manage to log in for the second time. This means that a user who forgets their password after the initial login is unable to reset their password (as it requires a verified phone number).
Any idea why this is happening and what settings should I look into? I'm aware I can avoid the main problem by programmatically setting phone_number_verified as true, but I'd like to know why the MFA challenge fails on first login.
I've been really disappointed in the AWS hostsed auth UI. It's ugly and very limited. As you've discovered, for example, it doesn't handle MFA at all.
The best alternative I've found is to use the Authenticator Amplify UI component. It's possible to use Amplify UI without using the Amplify CLI or hosting your site on AWS, so it's pretty well a drop-in solution. Authenticator handles setting up software TOTP tokens and the TOTP challenge as needed. I haven't used it for SMS, but this page implies it's supported.
You can learn how to use Amplify UI components standalone (without the CLI and AWS hosting) in this StackOverflow answer.
I am using the Cognito Hosted UI option to register and sign-in users for my website. Currently, users who register are immediately able to sign-in using their username/password. This is an issue because this allows anyone to register and then to access restricted parts of the site. What I would like to do is require that the ADMIN manually confirm every registered user before they can login.
Is this possible to achieve?
If you want to manually confirm every user that has registered using your Cognito User Pool, you could perform the following steps:
Step 1: Ensure that E-Mail/SMS verification requirement is unchecked in the "MFA and Verifications" sidebar in your Amazon Cognito User Pool console.
Step 2: To improve user experience, utilize a custom UI for your web/mobile application. After your users sign-up, redirect them to a different web-page which states that they would require admin verification. If you are using the Cognito default UI, the message "User Pool not configured properly for confirmation code delivery" which doesn't necessarily deliver a seamless user experience.
Step 3: Now, your signed up users should have the "UNCONFIRMED" state in the Amazon Cognito User Pool.
Step 4: To manually confirm the user, you can use the AdminConfirmSignUp API call[1], from your application code or from the CLI. This requires the user-pool-id and the username, and would also need Administrator credentials for it to run successfully.
I tested this out on my end, and I was able to manually confirm all the users that had registered to my Amazon Cognito User Pool.
The API call I tried on my end is as follows(tested via the CLI):
aws cognito-idp admin-confirm-sign-up --user-pool-id us-east-1_XXXX --username XXXX
After the AdminConfirmSignUp API call, your "UNCONFIRMED" users should have the "CONFIRMED" status.
References
[1]. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html
I have setup AWS cognito with my own user pool, but when i create a user with a valid phone number i did not receive verification SMS on that phone.
I have also created role to allow Amazon Cognito to send SMS messages.
Please help me to debug the issue and let me know if any more details are required.
You can open AWS Support center and create case. Under regarding, choose Service Limit Increase. For SNS, follow the link http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_sns