AWS Amplify Auth.verifyCurrentUserAttributeSubmit returns InternalErrorException

We have a Cognito user pool that supports login with email and phone number. Using Auth.verifyCurrentUserAttributeSubmit we are able to successfully verify code received on email for email change of logged in user. However the same method returns InternalErrorException from Cognito when verifying phone_number attribute using the code received on sms.

From browser console, here is the curl equivalent snippet for the call made from Amplify in ReactJS app. The same API works fine if AttributeName being verified is email.

curl 'https://cognito-idp.ap-southeast-1.amazonaws.com/' \
  -H 'authority: cognito-idp.ap-southeast-1.amazonaws.com' \
  -H 'cache-control: max-age=0' \
  -H 'content-type: application/x-amz-json-1.1' \
  -H 'x-amz-target: AWSCognitoIdentityProviderService.VerifyUserAttribute' \
  -H 'x-amz-user-agent: aws-amplify/5.0.4 js' \
  --data-raw '{"AttributeName":"phone_number","Code":"12345","AccessToken":"xxxtokenxxxx"}' \
  --compressed

  Response:
  {"__type":"InternalErrorException","message":"Internal server error."}`
Response Headers: (Relevent)
date: Fri, 16 Dec 2022 14:11:38 GMT
x-amzn-errormessage: Internal server error.
x-amzn-errortype: InternalErrorException:
x-amzn-requestid: e0a3cde9-b16f-4c2c-bb1d-4567421b48f5

Update: I see a pattern here. User pool supports signin with email or phone number. Accordingly one of these attributes is set for the user in addition to username field. When it comes to update, we use AdminUpdateUserAttributesCommand from AWS SDK to update user attributes. For example: user signups with email. In this case, phone number attribute will not be set by our app. However, at a later point, user also want to add phone number to his account, we call AdminUpdateUserAttributesCommand to set a value for phone_number attribute. This method works fine and sends OTP appropriately. But verifying phone_number attribute using the OTP received results in InternalErrorException from Cognito. It might be that Cognito is not checking if the attribute exists prior to verifying it. I could repeat the same process when I signup with phone number and update email attribute at a later time.

Topics

Front-End Web & Mobile Security, Identity, & Compliance

Relevant content

AWS Amplify AppSync Cognito User Pool
AWS-User-6220823
asked 2 years ago
"Network Failure" when using "Login with User Pools"
vossberg
asked 6 years ago
Adding email address to account with phone number login attribute
sbeyers
asked 3 months ago
Federated Login for custom UI for Cognito user pool
rePost-User-3564424
asked a year ago
Does AWS Support have a phone number?
AWS OFFICIALUpdated 2 years ago
How do I integrate IAM Identity Center with an Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
How do I increase security in Amazon Cognito by using MFA settings for users and user pools?
AWS OFFICIALUpdated a year ago
How do I integrate a multi-Region and multi-account Amazon Cognito user pool with an Amazon Cognito identity pool?
AWS OFFICIALUpdated a year ago
AWS Account Activation - Locating AWS Account ID and Troubleshooting Phone Verification Issues
EXPERT
dnyanesh-db
published 5 months ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published 2 months ago