Cognito sending verification to wrong email even after email is verified

0

I am using Cognito admin_create_user api to create a new user. I set the email to verified on creation as follows:

 response = self._client.admin_create_user(
            UserPoolId=self._user_pool_id,
            Username=user.email,
            UserAttributes=[
                {
                    'Name': 'email',
                    'Value': user.email
                },
                {
                    'Name': 'custom:company_id',
                    'Value': user.company_id
                },
                {
                    'Name': 'email_verified',
                    'Value': 'true'
                }
            ],
            TemporaryPassword=self._get_random_password(16),
            MessageAction='SUPPRESS'
        )

Immediately after this, I call Cognito's forget_password endpoint to initiate the forget password workflow and send the new user a code to update their password:

response = self._client.forgot_password(
            ClientId=self._client_id,
            Username=user_id
        )

This triggers Cognito to send a verification email to the registered email address. It does send an email but to a random email address, though, and not the user's email address, which is obviously not very useful.

I assumed this was because the email was not properly verified or it had not yet propagated, so I plugged an admin_get_user call between creating the user and forgetting password calls, and it came back as email_verified: true. This is confirmed in AWS Console.

Am I using an incorrect authentication flow? Users cannot sign up themselves; they are signed up by their admins. They should only receive a notification that they have been signed up and now need to change their passwords.

Paul
asked 3 months ago216 views
1 Answer
0

The issue is discussed here: https://repost.aws/knowledge-center/cognito-forgot-password

Specifically:

Users created by administrators are in a FORCE_CHANGE_PASSWORD status by default until they sign in with the password provided. Then, users are prompted to change the password. If the user status is FORCE_CHANGE_PASSWORD, then the ForgotPassword API call can't be used and the verification code isn't sent.

An alternative approach is not to set MessageAction='SUPPRESS', which will make Cognito send an email to the user's registered email with the temporary password. Once they sign up using this, all should work.

Paul
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions