getTemporaryPassword from Cognito for a specific user

0

Hi team,

I have a validation flow of a cognito user that happen in tow steps:

  • step1

    1 - add a new user in Cognito user pool using adminCreateUser API call

    2 - add RELATED user info inside a dynamoDB table

    3 - send an invitation link to the user (valid for 2 days) => when the user clicks the link he will be asked to provide only a new password

while creating the user with adminCreateUser I assign to him a TemporaryPassword (generated by my code or let Cognito generate it)

  • Step2

    1- When the user clicks the invitation link, gives his new password and confirm

    2- on the backend I will call adminInitiateAuth to get NEW_PASSWORD_REQUIRED challenge

    3- the call respondToAuthChallenge and provide NEW_PASSWORD that the user provided

    4- user is confirmed in Cognito

let's say the user will click on the invitation link 1.5 days after receiving it, provide his new password and confirm.

then I call adminInitiateAuth ( point 2 of step 2) ==> for this, I need to provide the TemporaryPassword that I set in step 1 during adminCreateUser call.

as step 2 is separate from step 1 and they can have a few days between them,

is there an API method that allows me to get the TemporaryPassword from Cognito, so in Step 2 I can adminInitiateAuth and continue with NEW_PASSWORD_REQUIRED challenge.

if I store the password temporarily in the Redis cache, the key can expire and I will lose the password (since if the first link is expired I can Resend the invitation link again and again always for the same user created in Step 1 with adminCreateUser API call, but I still need the TemporaryPassword for that user).

how can I get the TemporaryPassword from Cognito for a specific user so that I can finalize step 2 and confirm the user (by doing adminInitiateAuth + respondToAuthChallenge)

is it a bad practice if I set the TemporaryPassword hard coded during user creation adminCreateUser so I will always know it for adminInitiateAuth, then update the user's password with respondToAuthChallenge

if I use Redis should the password be stored in encrypted form?

can I store the password as is in DynamoDB user table along with the user's info without further encryption? (as the DDB user table itself is already encrypted with KMS)

appreciate your Help!

1 Answer
0

Hello,

As per the design of Cognito service, when you create an user using AdminCreateUser API, then admin need to send the password to user via email/phone number and the user should provide the temporary password during first sign-in.

There is no API in Cognito to fetch the temporary password again which was set during creating the user profile.

However, if you do not want your users to provide the temporary password, then you need to store the temporary passwords securely. You should never hard-code same password for all users. Because if anyone get the password by any chance, then he can use the same password to login to any newly created user profile. You need to generate random temporary password and store it until the user sign-in for first time.

When the user signing-in for first time then you can fetch the record to have the temporary password of the user and then you can delete the entry from the database once the user has successfully set their new password.

The password should always be stored in encrypted form and you need to configure proper fine-grained permission to restrict access for decryption of the password.

Note: As per the Shared responsibility model it is customer's responsibility to maintain the "security in cloud".

I hope the information is helpful to you. In case you have any further queries/concerns regarding AWS services then please let us know. We are always here to assist you.

--Reference--

Client-side and server-side encryption in DynamoDB: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/client-server-side.html

DynamoDB encryption at rest: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

AWS
SUPPORT ENGINEER
Tarit_G
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions