While creating user in userpool, user invitation messages are sent with a temporary password but email verification messages is not being sent.
I was creating a very simple setup to try out aws cognito service.
Here is what I did in AWS cognito, I created a user pool with step by step as follows:
1)What do you want to name your user pool?
-> testpool
2)How do you want to create your user pool?
-> step through settings
3)How do you want your end users to sign in?
->Email address or phone number-Allow email addresses
4)What password strength do you want to require?
->Minimum length=6
5)Do you want to allow users to sign themselves up?
->Allow users to sign themselves up
6)How quickly should user accounts created by administrators expire if not used?
->Days to expire-7
7)Do you want to enable Multi-Factor Authentication (MFA)?
->off
8)Do you want to require verification of emails or phone numbers?
->Email
9)You must provide a role to allow Amazon Cognito to send SMS messages
->testpool-SMS-Role
10)Do you want to customize your email verification messages?
->Verification type-link
->Email subject = Your verification link
->Email message = Please click the link below to verify your email address. {##Verify Email##}
11)Do you want to customize your user invitation messages?
->SMS message = Your username is {username} and temporary password is ->{####}.
->Email subject = Your temporary password
->Email message = Your username is {username} and temporary password is {####}.
12)Do you want to customize your email address?
->no
13)Do you want to add tags for this user pool?
->no
14)Do you want to remember your user's devices?
->no
15)Which app clients will have access to this user pool?
->none(will simulate from create user option in genral setting-user and group)
16)Do you want to customize workflows with triggers?
->no
17)Review page - this page shows summary of whatever I selected
Create pool
Now after pool creation went ot genral setting-user and group and clicked create user
A Create user pop-up shows:
Username (Required): myEmailAddress
Send an invitation to this new user?: check
Temporary password: left blank
Phone Number: empty(not required)
Mark phone number as verified? unCheck
Email: myEmailAddress
Mark email as verified? unCheck
Click on Create User
A mail is received into my account form no-reply#verificationemail.com via amazonses.com,with subject: Your temporary password with message as: Your username is somemailid#gmail.com and temporary password is agsjyk.
This is okay.
But I didnot receive any verification mail link before previous mail.
Not sure if you're missing this particular setup....Domain name is require for link verification.
Under "Tab integration" then "Domain name"
A mail is received into my account form no-reply#verificationemail.com via
amazonses.com,
with subject: Your temporary password
with message as: Your username is somemailid#gmail.com and temporary password is > agsjyk.
Looking at this it seems you are creating the user via the Cognito API by the AdminCreateUser method, and that's why you are receiving a temporary password.
The confirmation email you are expecting will only be sent if the user registers itself, so you should use the SignUp method.
verification mail link is for when users sign themselves up, they will receive a link to ask them to verify the email address instead of a code. In your case, you are send a temporary password to the user, so the link wont show up.
You need to add a domain in this section of the Incognito Service:
Also, if you are not getting the email, click on the user, and check their email, it could be wrong.
If anyone else is facing this issue, it appears that you cannot send verification emails if you use SAML or a federated identity provider. Cognito sets the cognito user to EXTERNAL_PROVIDER and no Cognito API calls allow sending a verifcation code or link. The cognito user is automatically created on initial sign-in. I have my user pool set to validate email address but it is always set to false.
The only way that I know to confirm the user via SSO is to use an external verification process outside of cognito.
With Cognito, if you have added both email and phone number then you should allow both as verification methods(In the SignUp experience Tab) as below:
Otherwise the email verification link or code is not sent
Related
A Cognito User Pool is configured for the users to use their "email address" to sign up and sign in.
If a user signs up with the email of someone else then that email will get stuck in UNCONFIRMED state and the owner will not be able to use it appropriately.
Having said that let me provide an example with the following scenario:
User signs in with an email address the user doesn't own, let's say it someone#mail.com. In this step (registration form) some more data is sent like organization name, and user full name.
Verification code is sent to the email
Now the user that owns someone#email.com wants to create an account (maybe some days in the future), so he goes and fills the registration form but an error is thrown by cognito {"__type":"UsernameExistsException","message":"An account with the given email already exists."}
I'm using Auth.signUp() in my react native app using AWS Cognito/AWS Amplify. I would ideally like a way to check that the username that has been entered (and corresponding email address ideally), are unique and that no one else in the Cognito pool already has those.
If successful, continue sign up, else choose another username.
Currently i do this:
await Auth.signUp({
username,
password,
attributes: { email, phone_number }
})
How can i achieve this?
Amazon Cognito takes care of this unique login name verification.
At the time of creation of the user pool, choose the attributes you require for user registration. It can be email or preferred_username for example.
If an attribute is required and a user doesn't provide the required attribute, the user cannot register.
If the user provide a required attribute value that is already used by other user,
Cognito will reject it, and return an error:
UsernameExistsException: User account already exists
You can learn more in Amazon Cognito Developer Guide.
I believe Shay AshKenazi is incorrect. I have set email as a required attribute and Cognito does not stop me from signing up users up with the same email. This is confusing because Cognito calls a "Username" the attribute you choose (when creating the user pool) to allow users to sign in with. This attribute can either be a username or email, whichever one you choose and a user attempts to sign up with that username or email then you will get that error
"UsernameExistsException: User account already exists".
However, I have not been able to get Cogntio to enforce uniqueness for both username and email attributes. If you choose username to be the "Username" then Cognito will only check usernames for uniqueness. Same applies if you choose emails as the "Username".
But I have found a solution to ensuring emails are unique when signing up users - https://dev.to/andthensumm/enforcing-attribute-uniqueness-in-cognito-with-aws-amplify-and-react-263f.
Strangely, if you create a user pool and allow users to login with usernames and verfied emails and then signup two users with the same email but different usernames, Cogntio will allow you to create both users despite having the same email. But note a verified email can only be attached to one user. So if you were to verify the first user's email, then verify the second's email (which is the same as the first user) the first user's email will become unverified, and the second user's email would be verified.
I want to make a simple flow for registration app.
User sign up with only email -> The verification/registration link is sent to the email -> People register (putting in their password) on that link
I've googled anything but haven't found any way to make it with AWS Cognito.
Looks like Cognito is forcing users to sign up with at least email AND password to get the confirmation link
You can sign up users with adminCreateUser API call. They will receive an email with temporary passwords. This approach is configurable.
See: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
Use: AdminCreateUser
Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API. Specify the temporary password(will be your user's password) or allow Amazon Cognito to automatically generate one.
Specify whether provided email addresses and phone numbers are marked as verified for new users.
Specify custom SMS and email invitation messages for new users via the AWS Management Console.
Specify whether invitation messages are sent via SMS, email, or both.
After successful user creation,
1. authenticate user using same user credentials
Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)
2. After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.
3. Use RespondToAuthChallenge(Username, <SRP variables>, PASSWORD_VERIFIER
4. Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.
5. The user is prompted and enters a new password and any missing values for required attributes.
6. Call RespondToAuthChallenge(Username, <New password>, <User attributes>).
7. After successful password change user can be able to login using same credentials added by you.
Short answer
- In that case, you can specify the temporary password(will allow Amazon Cognito to automatically generate one.).
- all user users will be forced to change their password only at first login.
We have implemented the Custom Auth Triggers as described here. We have the user pool set up to let users login with either phone number or email.
The problem I am having is determining what medium (email or phonenumber) the user signed in as. I am using CognitoIdentityServiceProvider#signUp to reg / login a user.
When observing the event passed into the define / create / verify auth triggers, it seems like doesn't pass through what the username was used to initiate the authentication flow.. only the user attributes which in my case there could be both email or phone. I need to know which one it is so I know if i need to send the code through SMS or Email.
I have tried to add a custom UserAttribute with a prefix of custom: so I could do something like custom:preferredAuthMedium but that doesn't seem to populate the UserAttributes map on the user even though the docs say it should.
Is there a standard way to do this with the custom authentation flow?
This is a workaround by adding a custom attribute during passwordless login
Actually, the authenticationUser function needs to identify whether the user is adding email or phone during login
Step 1: during login process, before calling initiateAuthCommand, First set a custom attribute in Cognito user object - logged_in_by - email or phone
Step 2: once you add a key after that InitiateAuthCommand will be started and call the triggers
Step 3: When createAuthChallenge runs at the time we will have userAttributes.logged_in_by
If this attribute contains email this indicates that the user is trying to login with the email and we need to send OTP over email.
If this attribute contains a phone this indicates that the user is trying to log in with the phone and we need to send OTP over the phone number.
Different medium requires their own confirmation.
The following attributes says which medium the user signed up or verified for,
phone_number_verified is phone number.
email_verified is for email.
Hope it helps.
I have a Lambda function which creates users using adminCreateUser Cognito function. My app is basically an invite only app where the admin can only invite certain users. Everything is working great so far, and I am able to resend invitation email notifications as well. However, I am trying to figure out how I can find out if a user created by adminCreateUser method has "expired" i.e. the user has not accepted the invite and changed the temporary password.
When the admin creates a user using adminCreateUser the status is FORCE_CHANGE_PASSWORD by default. When the user with this status attempts to Log in using the temporary password (from the verification email), Cognito sends a challenge back in the challengeName attribute of NEW_PASSWORD_REQUIRED, based on which the user is forced to change their password through the application and upon successful reset the status would change to CONFIRMED in Cognito for that user. This is working great so far, but I also need to handle scenario where the invited user never really changed their password by attempting to log into the application.
Now, I have set the - "How quickly should user accounts created by administrators expire if not used?" - to 7 days (default). What would be the status of the user account after 7 days if the user doesn't reset their password? I tried to find out from the documentation but it's not clear what the status of the user account would be in this situation.
NOTE: This is not about Token expiration in the client but rather expiration of an account created via the adminCreateUser method.
Annjawn,
According below link: "After the account expires, the user cannot log in to the account until the administrator updates the user's profile by updating an attribute or by resending the password to the user"
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-admin-create-user-policy.html
All tthe best,
Guto