I am using Cognito admin_create_user api to create a new user. I set the email to verified on creation as follows:
response = self._client.admin_create_user(
UserPoolId=self._user_pool_id,
Username=user.email,
UserAttributes=[
{
'Name': 'email',
'Value': user.email
},
{
'Name': 'custom:company_id',
'Value': user.company_id
},
{
'Name': 'email_verified',
'Value': 'true'
}
],
TemporaryPassword=self._get_random_password(16),
MessageAction='SUPPRESS'
)
Immediately after this, I call Cognito's forget_password endpoint to initiate the forget password workflow and send the new user a code to update their password:
response = self._client.forgot_password(
ClientId=self._client_id,
Username=user_id
)
This triggers Cognito to send a verification email to the registered email address. It does send an email but to a random email address, though, and not the user's email address, which is obviously not very useful.
I assumed this was because the email was not properly verified or it had not yet propagated, so I plugged an admin_get_user call between creating the user and forgetting password calls, and it came back as email_verified: true. This is confirmed in AWS Console.
Am I using an incorrect authentication flow? Users cannot sign up themselves; they are signed up by their admins. They should only receive a notification that they have been signed up and now need to change their passwords.
