How to change User Status FORCE_CHANGE_PASSWORD?

2019-03-08 05:08发布

站内问答 / 移动开发
539 9 5

Using AWS Cognito, I want to create dummy users for testing purposes.

I then use the AWS Console to create such user, but the user has its status set to FORCE_CHANGE_PASSWORD. With that value, this user cannot be authenticated.

Is there a way to change this status?

UPDATE Same behavior when creating user from CLI

9条回答
倾城 Initia
2楼-- · 2019-03-08 05:43

Basically this is the same answer but for .Net C# SDK:

The following will make a full admin user creation with desired username and password. Having the following User model:

public class User
{
    public string Username { get; set; }
    public string Password { get; set; }
}

You can create a user and make it ready to use using:

   public void AddUser(User user)
    {
        var tempPassword = "ANY";
        var request = new AdminCreateUserRequest()
        {
            Username = user.Username,
            UserPoolId = "MyuserPoolId",
            TemporaryPassword = tempPassword
        };
        var result = _cognitoClient.AdminCreateUserAsync(request).Result;
        var authResponse = _cognitoClient.AdminInitiateAuthAsync(new AdminInitiateAuthRequest()
        {
            UserPoolId = "MyuserPoolId",
            ClientId = "MyClientId",
            AuthFlow = AuthFlowType.ADMIN_NO_SRP_AUTH,
            AuthParameters = new Dictionary<string, string>()
            {
                {"USERNAME",user.Username },
                {"PASSWORD", tempPassword}
            }
        }).Result;
        _cognitoClient.RespondToAuthChallengeAsync(new RespondToAuthChallengeRequest()
        {
         ClientId = "MyClientId",
            ChallengeName = ChallengeNameType.NEW_PASSWORD_REQUIRED,
            ChallengeResponses = new Dictionary<string, string>()
            {
                {"USERNAME",user.Username },
                {"NEW_PASSWORD",user.Password }
            },
            Session = authResponse.Session
        });
    }
查看更多
0人赞 添加讨论(0) 举报
放荡不羁爱自由
3楼-- · 2019-03-08 05:46

not sure if you are still fighting with this but for creating a bunch of test users only, I used the awscli as such:

  1. Use the sign-up subcommand from cognito-idp to create the user
aws cognito-idp sign-up \
   --region %aws_project_region% \
   --client-id %aws_user_pools_web_client_id% \
   --username %email_address% \
   --password %password% \
   --user-attributes Name=email,Value=%email_address%
  1. Confirm the user using admin-confirm-sign-up
aws cognito-idp admin-confirm-sign-up \
--user-pool-id %aws_user_pools_web_client_id% \
--username %email_address%
查看更多
0人赞 添加讨论(0) 举报
疯言疯语
4楼-- · 2019-03-08 05:47

Sorry you are having difficulties. We do not have a one step process where you can just create users and authenticate them directly. We might change this in the future such as to allow administrators to set passwords that are directly usable by users. For now, when you create users either using AdminCreateUser or by signing up users with the app, extra steps are required, either forcing users to change the password upon login or having users verify the email or phone number to change the status of the user to CONFIRMED.

查看更多
0人赞 添加讨论(0) 举报
贼婆χ
5楼-- · 2019-03-08 05:50

For Java SDK, assuming your Cognito client is setup and you have your user in the FORCE_CHANGE_PASSWORD state you can do the following to get your user CONFIRMED... and then auth'd as normal.

AdminCreateUserResult createUserResult = COGNITO_CLIENT.adminCreateUser(createUserRequest());

AdminInitiateAuthResult authResult = COGNITO_CLIENT.adminInitiateAuth(authUserRequest());


Map<String,String> challengeResponses = new HashMap<>();
challengeResponses.put("USERNAME", USERNAME);
challengeResponses.put("NEW_PASSWORD", PASSWORD);
RespondToAuthChallengeRequest respondToAuthChallengeRequest = new RespondToAuthChallengeRequest()
      .withChallengeName("NEW_PASSWORD_REQUIRED")
      .withClientId(CLIENT_ID)
      .withChallengeResponses(challengeResponses)
      .withSession(authResult.getSession());

COGNITO_CLIENT.respondToAuthChallenge(respondToAuthChallengeRequest);

Hope it helps with those integration tests (Sorry about the formatting)

查看更多
0人赞 添加讨论(0) 举报
老娘就宠你
6楼-- · 2019-03-08 05:51

You can change that user status FORCE_CHANGE_PASSWORD by calling respondToAuthChallenge() on the user like this:

var params = {
  ChallengeName: 'NEW_PASSWORD_REQUIRED', 
  ClientId: 'your_own3j63rs8j16bxxxsto25db00obh',
  ChallengeResponses: {
    USERNAME: 'user3',
    NEW_PASSWORD: 'changed12345'
  },
  Session: 'xxxxxxxxxxZDMcRu-5u019i_gAcX5lw1biFnKLtfPrO2eZ-nenOLrr5xaHv-ul_-nGsOulyNG12H85GJ2UGiCGtfe-BdwTmQ-BMUnd2Twr9El45xgpGKWDrYcp11J4J9kZN71ZczynizRJ7oa5a_j2AiBYukzhd_YzPWGscrFu98qqn_JoiLsJ7w9v_C_Zpw6-ixCs09suYQKZ3YlWNFmMpC2nSiKrXUA8ybQkdj6vIO68d-vtYq0mVHt410v2TBtK4czOAh5MieO55kgvGHCxvEusQOTeFYh4Mjh1bwcHWRvSV6mVIrVSm4FnRs0u26vUDq79CgkuycRl2iOoqxc1abcaANKmEB45r2oPnmPZIhVqNO5eHe6fpac7s3pHwLKvNOv7EaQkjyY9Vb5gINmSjXBjBl3O3aqQ7KXyueuHHSLrfchP64SwuNQZSfL1Vis0ap5JtSat3udslzUBiU8FEhmJNwPX08QyIm4DqviTLp6lDqH5pH6BuvO9OUHPrEcDzufOx1a76pld-9f-NGfactCUZC0elQcAiGSqbwfiRYHn7TDHuX1WKf9L9E6GvhJhB154SxxhXsLm3Yv9DhWhOlVbhdbzR2Bq4dqJRDOPY2wengFX6v36TLlYZTHbGEc_PbSlx8Ru80avxehAmUNtNqDYjGbXq0vBWaEiJmkr1isF7XsCvrmZb6tHY'
};

cognitoidentityserviceprovider.respondToAuthChallenge(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

After this, you'll see in the console that user3 status is CONFIRMED

查看更多
0人赞 添加讨论(0) 举报
聊天终结者
7楼-- · 2019-03-08 05:54

OK. I finally have code where an administrator can create a new user. The process goes like this:

  1. Admin creates the user
  2. User receives an email with their temporary password
  3. User logs in and is asked to change their password

Step 1 is the hard part. Here's my code for creating a user in Node JS:

let params = {
  UserPoolId: "@cognito_pool_id@",
  Username: username,
  DesiredDeliveryMediums: ["EMAIL"],
  ForceAliasCreation: false,
  UserAttributes: [
    { Name: "given_name", Value: firstName },
    { Name: "family_name", Value: lastName},
    { Name: "name", Value: firstName + " " + lastName},
    { Name: "email", Value: email},
    { Name: "custom:title", Value: title},
    { Name: "custom:company", Value: company + ""}
  ],
};
let cognitoIdentityServiceProvider = new AWS.CognitoIdentityServiceProvider();
cognitoIdentityServiceProvider.adminCreateUser(params, function(error, data) {
  if (error) {
    console.log("Error adding user to cognito: " + error, error.stack);
    reject(error);
  } else {
    // Uncomment for interesting but verbose logging...
    //console.log("Received back from cognito: " + CommonUtils.stringify(data));
    cognitoIdentityServiceProvider.adminUpdateUserAttributes({
      UserAttributes: [{
        Name: "email_verified",
        Value: "true"
      }],
      UserPoolId: "@cognito_pool_id@",
      Username: username
    }, function(err) {
      if (err) {
        console.log(err, err.stack);
      } else {
        console.log("Success!");
        resolve(data);
      }
    });
  }
});

Basically, you need to send a second command to force the email to be considered verified. The user still needs to go to their email to get the temporary password (which also verifies the email). But without that second call that sets the email to verified, you won't get the right call back to reset their password.

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)