Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

Cognito sending verification to wrong email even after email is verified

0

I am using Cognito admin_create_user api to create a new user. I set the email to verified on creation as follows:

 response = self._client.admin_create_user(
            UserPoolId=self._user_pool_id,
            Username=user.email,
            UserAttributes=[
                {
                    'Name': 'email',
                    'Value': user.email
                },
                {
                    'Name': 'custom:company_id',
                    'Value': user.company_id
                },
                {
                    'Name': 'email_verified',
                    'Value': 'true'
                }
            ],
            TemporaryPassword=self._get_random_password(16),
            MessageAction='SUPPRESS'
        )

Immediately after this, I call Cognito's forget_password endpoint to initiate the forget password workflow and send the new user a code to update their password:

response = self._client.forgot_password(
            ClientId=self._client_id,
            Username=user_id
        )

This triggers Cognito to send a verification email to the registered email address. It does send an email but to a random email address, though, and not the user's email address, which is obviously not very useful.

I assumed this was because the email was not properly verified or it had not yet propagated, so I plugged an admin_get_user call between creating the user and forgetting password calls, and it came back as email_verified: true. This is confirmed in AWS Console.

Am I using an incorrect authentication flow? Users cannot sign up themselves; they are signed up by their admins. They should only receive a notification that they have been signed up and now need to change their passwords.

Temas
Seguridad, identidad y cumplimiento
Etiquetas
Amazon Cognito
Idioma
English
preguntada hace 2 años524 visualizaciones
1 Respuesta
0

The issue is discussed here: https://repost.aws/knowledge-center/cognito-forgot-password

Specifically:

Users created by administrators are in a FORCE_CHANGE_PASSWORD status by default until they sign in with the password provided. Then, users are prompted to change the password. If the user status is FORCE_CHANGE_PASSWORD, then the ForgotPassword API call can't be used and the verification code isn't sent.

An alternative approach is not to set MessageAction='SUPPRESS', which will make Cognito send an email to the user's registered email with the temporary password. Once they sign up using this, all should work.

respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante