By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito User Migration Lambda not working ( NotAuthorizedException )

0

I have a cognito user pool with application configured. Logging in with users that i've manually created is working fine.

Now I want to seamlessly migrate users from the existing system to Cognito, so I'm trying to use an Lambda function that validates username/password to the existing database.

In my logging I see that the function is being called when I try to log in, and it returns a valid result. But still cognito is returning

An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Incorrect username or password.

The response I see from my lambda is

{
    "triggerSource": "UserMigration_Authentication",
    "userName": "my@email.ext",
    "request": {
        "password": "SomeSecurePasswordEnteredOnLogin"
    },
    "response": {
        "userAttributes": {
            "email": "my@email.ext",
            "email_verified": true
        },
        "finalUserStatus": "CONFIRMED",
        "messageAction": "SUPPRESS",
        "desiredDeliveryMediums": [
            "EMAIL"
        ],
        "forceAliasCreation": false,
        "enableSMSMFA": false
    }
}

I've also tried returning an username field in "userAttributes" with the email value. But i'm not getting anything working. Also tried to only return the "response" part of the json.

I've read https://repost.aws/knowledge-center/cognito-migration-lambda-trigger-errors but none of the errors there match the incorrect username or password I'm getting.

To try and login I use

aws cognito-idp initiate-auth --client-id <your-client-id> --auth-flow USER_PASSWORD_AUTH --auth-parameters "USERNAME=<username>,PASSWORD=<password>"

For an existing user this works fine, for a new user I see the call to my lambda that returns a result that I think is ok, but still the incorrect username or password error. Any idea what I'm doing wrong?

  • vtjean
    a year ago

    Could you provide screenshot of Lambda code?

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAmazon Cognito
Language
English
WoyNL
asked a year ago399 views
3 Answers
1

@Keith_AWS, thanks for the suggestion, that was not the issue. I've already solved it. The issue was that I didn't return all fields of the original event. ( I received a deseriliazed version of the event that was missing some properties I didn't need, but that also prevented them to be serialized in the response ).

Adding "version", "userPoolId" and "region" to the response fixed the issue.

It would be great though that somehow it would be possible to see why Cognito didn't accept the response. At the moment it is just pure trial and error.

WoyNL
answered a year ago
0

Is it possible that you are getting an error based on users not existing at the time of your invocation? I see some similar details in this post https://repost.aws/knowledge-center/cognito-prevent-user-existence-errors that might help you with your migration.

profile pictureAWS
Keith_AWS
answered a year ago
0

Glad it was resolved and I appreciate you sharing the answer back here.

profile pictureAWS
Keith_AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content