Via the cognito admin API how do I set a users password? When a user is created I can set a temporary password, I need to be able to do this to an existing user.
The newest version of the cognito api adds an action AdminSetUserPassword which has a request syntax like the following
{
"Password": "string",
"Permanent": boolean,
"Username": "string",
"UserPoolId": "string"
}
and will allow you to set a permanent or temporary password for a given user.
EDIT-2: The newest version of cognito API now supports AdminSetUserPassword.
You can't set a users password, the only thing you can do is use AdminResetUserPassword.
EDIT: You can call ForgotPassword too. But as the name suggests this is supposed to be called by a user, not an admin.
The latest of the Cognito API gives us AdminSetUserPassword which has a body of this kind
{
"Password": "string",
"Permanent": boolean,
"Username": "string",
"UserPoolId": "string"
}
using this you can set a password for a user considering yourself as an admin. You can get the UserPoolId from the Cognito user pools home page.
Headers goes as this :
X-Amz-Target: AWSCognitoIdentityProviderService.AdminSetUserPassword
Content-Type: application/x-amz-json-1.1
If you face any errors, kindly refer to this page for available headers: Making API Requests
Related
I am new to WSO2 Identity Server-5.11.0 , I want to search user based on username using scim api however nothing works for me
https://localhost:9443/wso2/scim/Users?userNameEqadmin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=userNameEqadmin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=userName=admin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=userName Eq admin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=username=admin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=usernameEqadmin#wso2.com
Can anyone suggest proper search criteria to use ?
Seems you have used SCIM 1.0 protocol.
It's better to use SCIM 2.0 because latest versions of IS supports SCIM 2.0
Refer: https://is.docs.wso2.com/en/latest/develop/scim2-rest-apis/
So the correct SCIM request for user filtering based on exact username match is:
https://localhost:9443/scim2/Users?filter=userName eq admin#wso2.com
Even if the above request doesn't satisfy your query,
Please verify whether you have followed all the steps in https://is.docs.wso2.com/en/latest/learn/using-email-address-as-the-username/#using-email-address-as-the-username in the same order.
Especially, if you have missed this step you won't be able to filter from username by giving the email.
Login to the management console and configure the Mapped Attribute property of the http://wso2.org/claims/username claim ID that is under Dialect dialectURI http://wso2.org/claims to mail.
You can try this with POSTMAN and I'm getting data
URL
https://{your host here}/t/{tenant domain}/scim2/Users/.search
Authorization
You can give basic Auth for now
body
You can give search variable like this
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:SearchRequest"
],
"attributes": [
"userName"
],
"filter": "userName Eq SigningOfficer",
"domain": "PRIMARY",
"startIndex": 1,
"count": 10
}
It is a POST method.
For more reference you can try this link
https://is.docs.wso2.com/en/latest/develop/scim2-rest-apis/#/Groups%20Endpoint/getGroupsByPost
We are trying to implement the "Password" grant type through Express-Gateway in our Microservices. But we could not find any documentation on the Express-Gateway and the global endpoint "/oauth2/token" gives an "unauthorised" error when we try to access it through postman.
Any reference document or suggestions here will be appreciated.
Let me know if any informaton is required.
Amit
Try basic auth with user's login and secret from oauth credentials, and pass json in body:
{
"grant_type": "password",
"username": "<login>",
"password": "<password>"
}
I have been successful in creating a new Account User from following this tutorial: https://forge.autodesk.com/en/docs/bim360/v1/reference/http/users-POST/#example, and have used the PATCH method to set their status to active on Postman.
I would like to set their role and access_level but I am having trouble doing so. I have followed the link below to try and perform this function, but it requires the user to already be a BIM 360 Project Admin for it to work.
https://forge.autodesk.com/en/docs/bim360/v1/reference/http/projects-project_id-users-user_id-PATCH/
I also tried following the next link below to add a User to a project, but I am getting errors that I am unsure how to fix.
https://forge.autodesk.com/en/docs/bim360/v1/reference/http/projects-project_id-users-import-POST/
URI: https://developer.api.autodesk.com/hq/v2/accounts/:account_id/projects/:project_id/users/import
Method: PATCH
Authorization: *******************************************
Content-Type: application/json
x-user-id: {{user_id}}
Body:
{
"email": "john.smith#mail.com",
"services": {
"document_management": {
"access_level": "account_admin"
}
},
"company_id": ************************************,
"industry_roles": [
************************************
]
}
(The id for industry_role is IT).
Error:
{
"code": 1004,
"message": "this user doesn't exist."
}
I am unsure how I am getting this error since the User Id used for x-user-id is the same user_id associated with the email given in the request body. Is there a way to fix this or another method I can use?
The x-user-id header is not for specifying the user to import but rather:
x-user-id
string
In a two-legged authentication context, the app has access to all users specified by the administrator in the SaaS integrations UI. By providing this header, the API call will be limited to act on behalf of only the user specified.
Remove this field if that's not what you intended.
Verify the user id and email match each other via /GET users and /GET users:userid.
And be sure to provide either the user's email or the user ID and don't provide them both:
Note that you need to specify either an email, or a user_id. However, you cannot specify both.
See doc here
Setup
I am using AWS Cognito to manage the user registration and user access for my web application. Specifically I am using the Cognito hosted UI. This means that Cognito presents a UI for my users to register, I do not have access to modify the user sign-up or login pages for my application (other than the controls provided by Cognito). I am using email addresses as usernames, so new users are simply asked to provide an email address and password.
Problem
Cognito treats email addresses as case sensitive. If a user signs up with the email address JOHN_smith#randommail.com, they cannot then sign in using john_smith#randommail.com.
I want user email addresses for sign-up and login to be case insensitive.
What I have tried
Usually this would be trivial to deal with by setting the email address to the lowercase in the client before sending it to the server. However I do not have access to the client UI as it is hosted by Cognito.
My plan therefore was to try using a Lambda function invoked by a Cognito pre-signup trigger to lowercase the email supplied by the user.
Pre sign-up
Amazon Cognito invokes this trigger when a user attempts
to register (sign up), allowing you to perform custom validation to
accept or deny the registration request.
Here is the lamdba function I wrote:
'use strict';
console.log('Loading function');
exports.handler = (event, context, callback) => {
console.log('Received event:', JSON.stringify(event, null, 2));
var triggerSource = event.triggerSource;
console.log('Received triggerSource:', triggerSource);
var email = event.request.userAttributes.email;
console.log('Received email:', email);
var modifiedEvent = event;
if (email !== null) {
var lowerEmail = email.toLowerCase();
modifiedEvent.request.userAttributes.email = lowerEmail;
console.log('Set email in request to', lowerEmail);
console.log('Modified event:', JSON.stringify(modifiedEvent, null, 2));
} else {
console.log('Email evaluated as NULL, exiting with no action');
}
// Return result to Cognito
callback(null, modifiedEvent);
};
This 'worked' in the sense that the email address in the event request was modified to be lowercase (john_smith#randommail.com). However, it seems the account has already been created in the userpool by the time my Lambda function receives this event. Changing the email address in the request had no effect - the original email address (JOHN_smith#randommail.com) still appears in my user pool. I suspect the only fields in the event that have any effect are the response fields. Here is what my modified event looks like:
{
"version": "1",
"region": "us-east-1",
"userPoolId": "us-east-1_xxxxxxx",
"userName": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx",
"callerContext": {
"awsSdkVersion": "aws-sdk-java-console",
"clientId": "xxxxxxxxxxxxxxxxxxxxxx"
},
"triggerSource": "PreSignUp_SignUp",
"request": {
"userAttributes": {
"email": "john_smith#randommail.com"
},
"validationData": null
},
"response": {
"autoConfirmUser": false,
"autoVerifyEmail": false,
"autoVerifyPhone": false
}
}
My question
I'm looking for ideas or examples to make my user registration and login case insensitive. This might include changes to my lambda trigger approach or something else entirely.
Please note I know I could implement my own UI, which I will only do as a last resort.
Fixed on new user pools. You can turn off case sensitivity now.
https://aws.amazon.com/about-aws/whats-new/2020/02/amazon-cognito-user-pools-service-now-supports-case-insensitivity-for-user-aliases/
You could trigger a Lambda function after sign-up to change the email to lowercase. Without actually testing it, you should be able to trigger a Lambda post confirmation. That Lambda could use AdminUpdateUserAttributes API, called from your SDK of choice, to change the email to lowercase.
Note that user names are also case sensitive.
Since username is case sensetive: why not just use the username as the email address and have the prehook populate the email field with the username?
Make username lowercase when creating the account. Make username lowercase when logging in. At least this way you only have to re-create users that have uppercase characters. Or you can rebuild your entire user pool and migrate the users, but who knows what affect that will have on passwords and MFA. It doesn't seem worth the trouble with an existing user pool. Hopefully you are doing a brand new project and you can select the case insensitive option when creating the user pool.
After multiple attempts, I have tried adding a small css for username field on login page and forgot password page.
#amplify-id-8,#amplify-id-0{
text-transform: lowercase;
}
#amplify-id-0::placeholder,#amplify-id-8::placeholder{
text-transform: capitalize;
}
This worked for me on the amplify-authenticator , I used as a login component.
another possibility is if you can create a user signup api, which would create the user in the cognito. after trimming email along with performing lower case on email. you can perform your custom steps before that.
you are right that pre-signup trigger basically get invoked after signup is performed.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html#aws-lambda-triggers-pre-registration-tutorials
So I want to get users email address with my server-side code.(I can get it on client side) My apps scope is set to:
"scopes":["public_profile","email"]}
What I'm able to-do at the moment is verify that the users token is valid. But I'd like to request the email as well - just to make sure on server side, that i can log the person in to my website.
I use this address to verify the token belongs to my app:
https://graph.facebook.com/debug_token?input_token=%REPLACE%&access_token=%REPLACE%
How should my request look like if I'd like to next ask for users email on server side?
Appears another option (once/if you know the token belongs to your app) is:
https://graph.facebook.com/me&access_token=USER_ACCESS_TOKEN
by default it only returns id, if you want more, ex email:
https://graph.facebook.com/me?fields=email&access_token=USER_ACCESS_TOKEN
which returns both id and email.
One solution is:
https://graph.facebook.com/v2.1/<user_id>?access_token=<your_app_access_token>
will return:
{
"id": "<id>",
"email": "mihkel\u0040gmail.ee",
"first_name": "Mihkel",
"gender": "male",
"last_name": "Lastname",
"link": "https://www.facebook.com/app_scoped_user_id/<id>/",
"locale": "en_US",
"name": "Mihkel Lastname"
}
if you need only email you can set fields=email parameter :)
You need USER ACCESS TOKEN to get user mail Id,
you can the access token from the response of API call
response.authResponse.accessToken;