I have an app with AWS Cognito auth implemented using Amplify. I do not want users to be able to sign up, instead the admin will sign up users via the AWS Cognito user pool console, by creating a new user.
I have created a custom attribute for users for a AWS Cognito userpool. I want to assign a value to that attribute for a user either when creating the user or after the user is created.
I cannot see how to fill in any values for attributes for a user when creating a user in the AWS Coginto user pool console.
When opening a created user in the console, I do not see how to add values for attributes for that user.
I have probably missed something in the Docs, but can someone tell me how to add values for attributes (including custom ones) for a user created in the AWS Cognito userpool console.
This is very simple solution.
Cognito console doesn't allow to input custom attributes or required any attributes by admin. This is norm because the user's info should be filled by himself.
So This is the workflow how this invitation auth flow would work in Cognito:
The admin creates new user in the console by inputting username, temp password only(He can chooses whether to send a verification email or not and auto-verified phone number or email upon creating)
Cognito will send the invitation email to the user with verification code or link codeParameter (If you would use custom message Lambda trigger trigger for this use case, you can customize the email message and put the username and temporary password along together).
At this point, you should include URL to redirect the user to your app's update password page.
In this update page, you should let him to input any required attributes himself and change password to complete the signup (In Cognito console, you should configure any attributes you need to get upon signup as required).
Here is the helpful link for you to review in order to understand how to complete the signup with Cognito by Amplify Lib:
https://docs.amplify.aws/lib/auth/manageusers/q/platform/js#complete-new-password
Cheers
Related
I need to get some user attributes from non-validated users on AWS Cognito
My use case is the following:
An user sign up in the app, however he does not submit the validation code immediately
When he tries to sign in in the app, he is prompted once again to submit the code he has received in his e-mail
But then I cannot register this user in the database, because I donĀ“t have his data...Hopefully this was clear enough
I tried to research some resources online such as this AWS Cognito- get user information with ID and this one AWS Cognito: get user attributes of any unauthenticated user
However I am concerned about security of the user, regarding the GDPR... As I would be exposing an unprotected endpoint with access to some sensitive data...
Does any of you guys know how could I address such issue without violating any GDPR rule?
Is there any cognito method that returns the user data for non validated users when they try to sign In?
I configured the user pool to allow both username and email sign-in. On passing email in as the username during migration I was able to verify the email and password against an external system and return successfully from the user migration lambda trigger. However, I received the following exception and the user was not migrated: Username cannot be of email format since user pool is configured for email alias. This makes no sense to me at all. When I recreated the user pool to only allow sign-in with email everything works as expected--the user is authenticated and created in the user pool. I'm looking for clarification as to how the user pool should be configured and how to pass in the proper values during sign-in, and specifically: how to handle this during a migration event.
The comment by Al-Mustafa Azhari in the following thread seems like it would work as well but this convention is not in the AWS documentation--not that I can see anyway. Cognito and Java - Username cannot be of email format since user pool is configured for email alias
AWS Cognito migration lambda docs: Migrate user Lambda trigger - Amazon Cognito
AWS Cognito user pool docs: Migrate user Lambda trigger - Amazon Cognito
If the answer is buried somewhere in the docs, I have yet to find it.
I have a web application which uses Cognito to allow users to login. Cognito uses external provider (Okta). When user login first time user entry is created in user pool. I also have second application which has to use the same user pool, but because of specifics of this application I have to use email and password authentication.
I would like users to receive an email asking them to set (reset) their password when they first log in web app. What's a best way to achieve that?
As far as i know it's impossible to set password for EXTERNAL_PROVIDER users, but I can accept creating new (duplicating) users. But still I'd like to ask about best way to do this.
Instructions below are for migrating between cognito instances, but you might find them useful.
there is only one way to get this done is migration lambda trigger. In short:
create new cognito
create migration lambda
add this lambda as a trigger to login and/or forgotten passwords
point users at cognito (this might not be necessary in your instance)
upon login, Cognito will check locally and if user is not found, will use the trigger to check programmatically in another source.
If authentication is successful, old cognito will return object with all properties, incl passwords, which you can then insert into new cognito.
more info here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html
We have an application using AWS Cognito (+ hosted web UI) where users are only created by administrators. MFA with SMS is required. This is our current flow for new users:
Admin creates a new user using AdminCreateUser of aws-sdk. Email, name and phone number are given.
A new account is created with FORCE_CHANGE_PASSWORD status. Username and a temporary password are sent to the user via email.
User signs in for the first time with the temporary password.
Cognito asks for a new password.
User sets their new password and proceeds to log in.
MFA code is sent to user via SMS. However, Cognito does not ask for the MFA code. User simply gets logged in. Account status is now CONFIRMED but phone_number_verified is not set.
However, the MFA challenge works fine starting from the second login. In other words, user's phone number only gets verified if they manage to log in for the second time. This means that a user who forgets their password after the initial login is unable to reset their password (as it requires a verified phone number).
Any idea why this is happening and what settings should I look into? I'm aware I can avoid the main problem by programmatically setting phone_number_verified as true, but I'd like to know why the MFA challenge fails on first login.
I've been really disappointed in the AWS hostsed auth UI. It's ugly and very limited. As you've discovered, for example, it doesn't handle MFA at all.
The best alternative I've found is to use the Authenticator Amplify UI component. It's possible to use Amplify UI without using the Amplify CLI or hosting your site on AWS, so it's pretty well a drop-in solution. Authenticator handles setting up software TOTP tokens and the TOTP challenge as needed. I haven't used it for SMS, but this page implies it's supported.
You can learn how to use Amplify UI components standalone (without the CLI and AWS hosting) in this StackOverflow answer.
I have a Cognito User pool instance and I need to add a confirm password field in the signup form of Hosted Ui. However, I can't specify it anywhere in the userpool configuration. Does anyone know how to add a confirm password field?
(Note: I do not want to write my own customised login, I want to use Cognito's Hosted UI)