Auth Cognito user without temporary password


Hi all,

I created a new user in my Cognito user pool using AdminCreateUser AP call, the user is added with sates Force change password

then I will send a custom link to the user, the user will be prompted with an angular front-end page with only 2 inputs new password and confirm new password (no temporary password input).

so I want to store the temporary password in my backend (Redis cache) and then only ask the user for his new password.

Then authenticate the user using the temporary password(stored on the backend Redis cache) and the new password(provided by the user via the front-end application)

the issue with this is that if I don't include both the user name and temporary password on the invitation message Cognito will not send the email and it will send the default Cognito email.

as I understood the custom email needs to have those 2 variables (user name and temporary password) to be sent by Cognito, otherwise, it will not and the default Cognito invitation message will be sent instead.

is there a way to be able to send the custom email without containing the temporary password? so that the end user can focus only on providing the new password

my second question is: all my backend is serverless using lambdas, so how can I pass the user's password from the front end to the backend securely either as a request body or as a URL parameter?

Thank you so much team, appreciate your help!

1 Answer
Accepted Answer

Hello there,

Greeting from AWS!

I gather that you are using Amazon Cognito for storing and authenticating users against your Angular application, and are encountering roadblocks in sending out a custom welcome email which shouldn't contain the temporary password.

To illustrate the desired flow;

(A) Invoke AdminCreateUser API to create the new user & the temporary password is stored in backend Redis cache.

(B) Cognito to send out an email to the new user, which contains the username and the link to the angular front end which takes in 'just' the new password.

(C) On submit, request is be sent to your Lambda backend, that fetches the temporary password from the Redis cache and the new password from the user.

(D) Backend Lambda sets the user's password via series of API calls - InitiateAuth[1]/AdminInitiateAuth[2] & RespondToAuthChallenge[3]/AdminRespondToAuthChallenge[4].

As you you have mentioned, when Cognito sends out an invitation message to a newly created user(AdminCreateUser), both the username and temporary password need to be present within the verification message's body(regardless of whether you are customising the email verification messages on the Cognito console, or tweaking the Custom message Lambda trigger[5]). If the required parameters are not present in the message template, Cognito will default to Your username is {username} and temporary password is {####}.

--- W O R K A R O U N D ---

The workaround for this case would include the following changes:

  1. Phase I : Send out the welcome email
  • Instead of depending on Cognito to send a welcome email when a user is created(AdminCreateUser), suppress the action of sending out the welcome email by setting "MessageAction" to "SUPPRESS"[6] in the AdminCreateUser API call. Additionally, the same action can be done through console as well. To add a user, go under General Settings –> Users and groups –> Create user. In the create user dialog box, uncheck the "Send an invitation to this new user?" in the console.
  • To automate the process of sending an email to the created user, utilize the Pre sign-up Lambda trigger[7] to send out the welcome email manually. The Pre sign-up Lambda trigger will be invoked with triggerSource 'PreSignUp_AdminCreateUser' when the user is created via AdminCreateUser API. The task of sending out the welcome email needs to be managed within the code of the Pre sign-up Lambda trigger. The core pseudo code that needs to go into the Pre sign-up Lambda function is:
if event['triggerSource'] == "PreSignUp_AdminCreateUser":
 	USERNAME = event['userName']
 	EMAIL = event['request']['userAttributes']['email']
 	MESSAGE = "Welcome to `Application__XXXX`. Your user-name is `{USERNAME}`. Set your password here : {LOGIN_PORTAL}"

 	# Use your custom email sender, or Amazon SES [8], to send the above 'MESSAGE' to the user's 'EMAIL'
 return event
  1. Phase II : Resetting the password at the Lambda Backend
  • You can create an Amazon API Gateway REST API integration with your Lambda function, and embed the REST API's URL within your Angular front end JS code. The idea here is, your Angular front end collects the new password string from the newly created user, and passes the "username" and "new password" within the request body(POST) to this REST API's URL. The REST API will forward/proxy the same to your backend Lambda function.
  • When the backend Lambda function is invoked by the REST API, it ought to;
    • Execute the InitiateAuth[1]/AdminInitiateAuth[2] API with the "username" value present in the event payload, and temporary password from the Redis cache. The response will be a "NEW_PASSWORD_REQUIRED" challenge.
    • From the above API call's response, use the RespondToAuthChallenge[3]/AdminRespondToAuthChallenge[4] API call to respond to the "NEW_PASSWORD_REQUIRED" challenge, where the new password is present in the Lambda function's event payload.

Kindly refer to this article[9] to understand Lambda - API Gateway REST API integration. API Gateway endpoints are secured with SSL/TLS certificates, hence the transmitted password will be encrypted in-transit.

I hope that the above details are helpful. Please feel free to raise a support case with us if you require further guidance.



[1]. InitiateAuth

[2]. AdminInitiateAuth

[3]. RespondToAuthChallenge

[4]. AdminRespondToAuthChallenge

[5]. Custom message Lambda trigger - Custom message for admin create user example

[6]. AdminCreateUser - MessageAction

[7]. Pre sign-up Lambda trigger

[8]. Sending email through Amazon SES using an AWS SDK - Code examples

[9] Tutorial: Build a Hello World REST API with Lambda proxy integration

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions