Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Cognito User Pool not creating user in new pool after Migration Trigger runs succesfully

0

My migration trigger is written in python. The method checks and authenticates against an old user pool, then fills in the userAttributes with all required attributes and finalUserStatus + messageAction with their proper values, and finally returns the entire event object. Here's an example response from the trigger:

{
    "version": "1",
    "triggerSource": "UserMigration_Authentication",
    "region": "us-east-2",
    "userPoolId": "***",
    "userName": "migrated2-integ@x.com",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-unknown-unknown",
        "clientId": "***"
    },
    "request": {
        "password": "TestUserTemp1",
        "validationData": null,
        "userAttributes": null
    },
    "response": {
        "userAttributes": {
            "email": "migrated2-integ@x.com",
            "email_verified": "true",
        },
        "forceAliasCreation": null,
        "enableSMSMFA": null,
        "finalUserStatus": "CONFIRMED",
        "messageAction": "SUPPRESS",
        "desiredDeliveryMediums": null
    }
}

The user is never created in the new user pool after the trigger successfully runs. I have other lambda triggers for post auth, pre-sign in, and post-confirmation and all work as expected. Due to the lack of transparency w.r.t. Cognito logs, I have no idea where the failure is coming from. The error the client receives is the following: AdminInitiateAuth operation: Incorrect username or password.

Please let me know what I'm missing. It'd be great to get access to Cognito logs.

Themen
Sicherheit, Identität & Konformität
Tags
Amazon Cognito
Sprache
English
rePost-User-6603535
gefragt vor einem Jahr499 Aufrufe
1 Antwort
0

Hello!

This error may occur due to following reasons stated below :

(a) Check if username and password are correct : ————————————————————————————

Keep a track whether the AuthParameters in the code is configured correctly with correct username and password. [1]

AuthParameters={
         'USERNAME': event['userName'],
         'PASSWORD': event['request']['password']
       }

Also in password only use the following special characters [2] :

^ $ * . [ ] { } ( ) ? " ! @ # % & / \ , > < ' : ; | _ ~ ` = + -

The space character is also treated as a special character.

(b) Is the customer authenticating against the old user pool and old client ID ? ————————————————————————————————————

Confirm if the code present inside the lambda trigger is authenticating the user against the old userpoolID and ClientID (where the user belongs).

UserPoolId='<user pool id of the user pool where the user already exists>',
ClientId='<app client id of the user pool where the user already exists>',

Please review the logic of your code, so as to achieve the expected results with the code mentioned under section ”Create a Lambda function” of documentation [1] and check if there are any errors.

You can check Lambda execution log for troubleshooting the Lambda code by using following steps [3] :

(i) Open the Functions page of the Lambda console.

(ii) Choose a function.

(iii) Choose Monitor.

(iv) Choose View logs in CloudWatch.

References:
———————

[1] https://aws.amazon.com/premiumsupport/knowledge-center/cognito-change-user-pool-attributes/

[2] Password Policy- https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html

[3] Accessing Amazon CloudWatch logs for AWS Lambda https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html

AWS
Sakshi M
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt