I have a web application which uses Cognito to allow users to login. Cognito uses external provider (Okta). When user login first time user entry is created in user pool. I also have second application which has to use the same user pool, but because of specifics of this application I have to use email and password authentication.
I would like users to receive an email asking them to set (reset) their password when they first log in web app. What's a best way to achieve that?
As far as i know it's impossible to set password for EXTERNAL_PROVIDER users, but I can accept creating new (duplicating) users. But still I'd like to ask about best way to do this.
Instructions below are for migrating between cognito instances, but you might find them useful.
there is only one way to get this done is migration lambda trigger. In short:
create new cognito
create migration lambda
add this lambda as a trigger to login and/or forgotten passwords
point users at cognito (this might not be necessary in your instance)
upon login, Cognito will check locally and if user is not found, will use the trigger to check programmatically in another source.
If authentication is successful, old cognito will return object with all properties, incl passwords, which you can then insert into new cognito.
more info here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html
Related
We use AWS Cognito with the Host UI for login and signup.
We require a user to be able to change their password.
There is an auth flow state in Cognito called FORCE_CHANGE_PASSWORD. When the user is in this state, upon successful login via Hosted UI, the user is then instructed to change their password before they continue.
The issue is that we cant find a way to force a users state to be FORCE_CHANGE_PASSWORD. We are instead having to use AWS API to change a password.
We chose the Hosted UI option because we wanted to offload auth responsibility from our app. Having to use the AWS API to change a password means we are now pulling in 'auth stuff' into our stack (auth forms, val, api services, testing, ongoing maintenance) which we want to avoid/minimise.
Is there some way to set the users state to FORCE_CHANGE_PASSWORD? As this would keep everything in the Hosted UI, and solve our problem.
We were hoping to find an api method like adminSetUserState??
We have an application using AWS Cognito (+ hosted web UI) where users are only created by administrators. MFA with SMS is required. This is our current flow for new users:
Admin creates a new user using AdminCreateUser of aws-sdk. Email, name and phone number are given.
A new account is created with FORCE_CHANGE_PASSWORD status. Username and a temporary password are sent to the user via email.
User signs in for the first time with the temporary password.
Cognito asks for a new password.
User sets their new password and proceeds to log in.
MFA code is sent to user via SMS. However, Cognito does not ask for the MFA code. User simply gets logged in. Account status is now CONFIRMED but phone_number_verified is not set.
However, the MFA challenge works fine starting from the second login. In other words, user's phone number only gets verified if they manage to log in for the second time. This means that a user who forgets their password after the initial login is unable to reset their password (as it requires a verified phone number).
Any idea why this is happening and what settings should I look into? I'm aware I can avoid the main problem by programmatically setting phone_number_verified as true, but I'd like to know why the MFA challenge fails on first login.
I've been really disappointed in the AWS hostsed auth UI. It's ugly and very limited. As you've discovered, for example, it doesn't handle MFA at all.
The best alternative I've found is to use the Authenticator Amplify UI component. It's possible to use Amplify UI without using the Amplify CLI or hosting your site on AWS, so it's pretty well a drop-in solution. Authenticator handles setting up software TOTP tokens and the TOTP challenge as needed. I haven't used it for SMS, but this page implies it's supported.
You can learn how to use Amplify UI components standalone (without the CLI and AWS hosting) in this StackOverflow answer.
I am using the Cognito Hosted UI option to register and sign-in users for my website. Currently, users who register are immediately able to sign-in using their username/password. This is an issue because this allows anyone to register and then to access restricted parts of the site. What I would like to do is require that the ADMIN manually confirm every registered user before they can login.
Is this possible to achieve?
If you want to manually confirm every user that has registered using your Cognito User Pool, you could perform the following steps:
Step 1: Ensure that E-Mail/SMS verification requirement is unchecked in the "MFA and Verifications" sidebar in your Amazon Cognito User Pool console.
Step 2: To improve user experience, utilize a custom UI for your web/mobile application. After your users sign-up, redirect them to a different web-page which states that they would require admin verification. If you are using the Cognito default UI, the message "User Pool not configured properly for confirmation code delivery" which doesn't necessarily deliver a seamless user experience.
Step 3: Now, your signed up users should have the "UNCONFIRMED" state in the Amazon Cognito User Pool.
Step 4: To manually confirm the user, you can use the AdminConfirmSignUp API call[1], from your application code or from the CLI. This requires the user-pool-id and the username, and would also need Administrator credentials for it to run successfully.
I tested this out on my end, and I was able to manually confirm all the users that had registered to my Amazon Cognito User Pool.
The API call I tried on my end is as follows(tested via the CLI):
aws cognito-idp admin-confirm-sign-up --user-pool-id us-east-1_XXXX --username XXXX
After the AdminConfirmSignUp API call, your "UNCONFIRMED" users should have the "CONFIRMED" status.
References
[1]. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html
I am trying to authenticate users via AWS Cognito/IAM services from my webapp. I have implemented Facebook and LinkedIn login and I'm wondering how I could use AWS to implement username+password login via my UI. Is there a way for me to set it up so that all I have to do is drop in button for username+password login on my view and that will authenticate users and redirect back to my backend service (similar to Facebook/LinkedIn) and where I can put in an endpoint URL?
Do let me know If I need to be clearer.
Edit1: I have already tried using Developer Authenticated Workflow (enhanced workflow). I don't want to do the part where I create the User in my user pool by calling the AWS Cognito Identity API. I'd like AWS to do the user creation by itself. is this possible?
Edit2: Another alternative solution is to create a Lambda which does what I want. But this is similar to the code to do that (which is on my backend).
At the moment there is no complete solution for this. You have to either use newly introduced AWS Cognito User Pools or create your own one. I would also recommend to checkout the project https://github.com/danilop/LambdAuth which worth trying.
You can create AWS Cognito user pools and create the roles for authenticated and unauthenticated users and assign some policies for both roles. Once you have created the user pool you will necessary code to use in your web or mobile application. Refer How to setup Cognito user pools.
I've been playing around with the new Cognito User Pools to manage user accounts and I'm trying to build a system where users have to log in to use the system, and new users can only be added by existing users (ie no public signup).
Currently there seems to be no way of stopping an unauthenticated user from calling signUp. I've changed it so that the Pool doesn't allow unauthenticated users but this doesn't seem to make any difference (as setting the accessKeyId and secretAccessKey to anything makes it run).
Have I missed something?
First of all, I think you are confused between an Identity Pool and a User Pool. Cognito user pools do not have a concept of allowing or not allowing "unauthenticated" access, identity pool does.
Now to answer your actual question, Cognito user pools is an authentication provider which implicitly means that the sign up process has to be unauthenticated. There is no way to authenticate a sign up call.
Although, if your use case is to build some sort of an invite based sign up process you can use the Lambda trigger functionality with User Pools and validate each SignUp call in the PreSignUp trigger. This validation could check the existence of a valid invitation code in the validation map and accept the call only in that case.
After a long time, this has been solved by the AWS team. They have now added in an option User sign ups allowed? Setting this to: Only administrators can create users means that no-one can just sign up to the user pool.
In order to add a user now you will need to use the aws cognito sdk and the various functions starting with 'admin' (eg. adminAddUser).