I am using the Cognito Hosted UI option to register and sign-in users for my website. Currently, users who register are immediately able to sign-in using their username/password. This is an issue because this allows anyone to register and then to access restricted parts of the site. What I would like to do is require that the ADMIN manually confirm every registered user before they can login.
Is this possible to achieve?
If you want to manually confirm every user that has registered using your Cognito User Pool, you could perform the following steps:
Step 1: Ensure that E-Mail/SMS verification requirement is unchecked in the "MFA and Verifications" sidebar in your Amazon Cognito User Pool console.
Step 2: To improve user experience, utilize a custom UI for your web/mobile application. After your users sign-up, redirect them to a different web-page which states that they would require admin verification. If you are using the Cognito default UI, the message "User Pool not configured properly for confirmation code delivery" which doesn't necessarily deliver a seamless user experience.
Step 3: Now, your signed up users should have the "UNCONFIRMED" state in the Amazon Cognito User Pool.
Step 4: To manually confirm the user, you can use the AdminConfirmSignUp API call[1], from your application code or from the CLI. This requires the user-pool-id and the username, and would also need Administrator credentials for it to run successfully.
I tested this out on my end, and I was able to manually confirm all the users that had registered to my Amazon Cognito User Pool.
The API call I tried on my end is as follows(tested via the CLI):
aws cognito-idp admin-confirm-sign-up --user-pool-id us-east-1_XXXX --username XXXX
After the AdminConfirmSignUp API call, your "UNCONFIRMED" users should have the "CONFIRMED" status.
References
[1]. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html
Related
We use AWS Cognito with the Host UI for login and signup.
We require a user to be able to change their password.
There is an auth flow state in Cognito called FORCE_CHANGE_PASSWORD. When the user is in this state, upon successful login via Hosted UI, the user is then instructed to change their password before they continue.
The issue is that we cant find a way to force a users state to be FORCE_CHANGE_PASSWORD. We are instead having to use AWS API to change a password.
We chose the Hosted UI option because we wanted to offload auth responsibility from our app. Having to use the AWS API to change a password means we are now pulling in 'auth stuff' into our stack (auth forms, val, api services, testing, ongoing maintenance) which we want to avoid/minimise.
Is there some way to set the users state to FORCE_CHANGE_PASSWORD? As this would keep everything in the Hosted UI, and solve our problem.
We were hoping to find an api method like adminSetUserState??
For my custom application, i wanted to have user login handled by AWS, basically i wanted the IAM user login functionality and call back to application on successful login. Like the integrations with "Sign in with Google".
I do understand the AWS Cognito does this, but i wanted to have MFA with this user using a hardware key which is not supported by Cognito as my understanding.
Hardware key MFA is possible with IAM users, so if i can create a app which allows the IAM user to login on AWS and redirect back to my app with a callback or token then it will be good, any thoughts?
An IAM user/role is meant to log into AWS Management Console and when using the AWS SDK when creating Service clients. You use the credentials of an IAM user.
If you are not familiar with using an IAM user with the SDK, see this topic:
Get started with the AWS SDK for Java 2.x
What you are describing is a use case for Cognito and users defined within user pools. For example, you can protect your web apps by requiring a user to login with a user defined in a user pool using a login form such as:
I have a web application which uses Cognito to allow users to login. Cognito uses external provider (Okta). When user login first time user entry is created in user pool. I also have second application which has to use the same user pool, but because of specifics of this application I have to use email and password authentication.
I would like users to receive an email asking them to set (reset) their password when they first log in web app. What's a best way to achieve that?
As far as i know it's impossible to set password for EXTERNAL_PROVIDER users, but I can accept creating new (duplicating) users. But still I'd like to ask about best way to do this.
Instructions below are for migrating between cognito instances, but you might find them useful.
there is only one way to get this done is migration lambda trigger. In short:
create new cognito
create migration lambda
add this lambda as a trigger to login and/or forgotten passwords
point users at cognito (this might not be necessary in your instance)
upon login, Cognito will check locally and if user is not found, will use the trigger to check programmatically in another source.
If authentication is successful, old cognito will return object with all properties, incl passwords, which you can then insert into new cognito.
more info here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html
We have an application using AWS Cognito (+ hosted web UI) where users are only created by administrators. MFA with SMS is required. This is our current flow for new users:
Admin creates a new user using AdminCreateUser of aws-sdk. Email, name and phone number are given.
A new account is created with FORCE_CHANGE_PASSWORD status. Username and a temporary password are sent to the user via email.
User signs in for the first time with the temporary password.
Cognito asks for a new password.
User sets their new password and proceeds to log in.
MFA code is sent to user via SMS. However, Cognito does not ask for the MFA code. User simply gets logged in. Account status is now CONFIRMED but phone_number_verified is not set.
However, the MFA challenge works fine starting from the second login. In other words, user's phone number only gets verified if they manage to log in for the second time. This means that a user who forgets their password after the initial login is unable to reset their password (as it requires a verified phone number).
Any idea why this is happening and what settings should I look into? I'm aware I can avoid the main problem by programmatically setting phone_number_verified as true, but I'd like to know why the MFA challenge fails on first login.
I've been really disappointed in the AWS hostsed auth UI. It's ugly and very limited. As you've discovered, for example, it doesn't handle MFA at all.
The best alternative I've found is to use the Authenticator Amplify UI component. It's possible to use Amplify UI without using the Amplify CLI or hosting your site on AWS, so it's pretty well a drop-in solution. Authenticator handles setting up software TOTP tokens and the TOTP challenge as needed. I haven't used it for SMS, but this page implies it's supported.
You can learn how to use Amplify UI components standalone (without the CLI and AWS hosting) in this StackOverflow answer.
I am trying to authenticate users via AWS Cognito/IAM services from my webapp. I have implemented Facebook and LinkedIn login and I'm wondering how I could use AWS to implement username+password login via my UI. Is there a way for me to set it up so that all I have to do is drop in button for username+password login on my view and that will authenticate users and redirect back to my backend service (similar to Facebook/LinkedIn) and where I can put in an endpoint URL?
Do let me know If I need to be clearer.
Edit1: I have already tried using Developer Authenticated Workflow (enhanced workflow). I don't want to do the part where I create the User in my user pool by calling the AWS Cognito Identity API. I'd like AWS to do the user creation by itself. is this possible?
Edit2: Another alternative solution is to create a Lambda which does what I want. But this is similar to the code to do that (which is on my backend).
At the moment there is no complete solution for this. You have to either use newly introduced AWS Cognito User Pools or create your own one. I would also recommend to checkout the project https://github.com/danilop/LambdAuth which worth trying.
You can create AWS Cognito user pools and create the roles for authenticated and unauthenticated users and assign some policies for both roles. Once you have created the user pool you will necessary code to use in your web or mobile application. Refer How to setup Cognito user pools.