3

Aws Cognito- User pools, how to recover / set password for a user when it has no email or phone.

I am using this on the web for a small business locally. and want user to use only username.
not use email and phone.

On the verification tab, I leave both checkboxes: phone and email blank.

Then it displays the following red warning.

You have not selected either email or phone number verification,
so your users will not be able to
recover their passwords without contacting you for support.

So it is okay that I want them to contact support. But I cannot find and API to set their password or recovery by admin.

If users contact me, how can I do it?

Efren
  • 4,003
  • 4
  • 33
  • 75
riseres
  • 3,004
  • 4
  • 28
  • 40

2 Answers2

2

At the moment, there is a workaround through the API. Just set an email/phone where you/the admin can receive the one-off confirmation code (eg: support@test.com)

Just tested on an old cognito user pool that for some unknown reason, gets the emailed_verified attribute set to false every now and then (ref).

The User pool has the same configuration: No verification options are enabled.

However, you can ensure the email_verified attribute is ok, through an AWS user with dev credentials.

Example using CLI (tested on aws-cli/1.16.3 Python/2.7.10 Darwin/18.2.0 botocore/1.11.3):

USER=test@test.com
POOL_ID=us_east_1-123
POOL_APP_CLIENT_ID=fake123

# Ensure the email_verified attribute is set to true
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-update-user-attributes.html
aws cognito-idp admin-update-user-attributes --user-pool-id $POOL_ID --username $USER --user-attributes Name=email_verified,Value=true

# Check the attribute is set/added if missing
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/list-users.html
aws cognito-idp list-users --user-pool-id $POOL_ID --query 'Users[?Username==`$USER`].[*]'

# Run Admin Reset PWD
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-reset-user-password.html
aws cognito-idp admin-reset-user-password --user-pool-id <Pool ID> --username <USER>
# The email/phone for the user should get a confirmation code
# Set the new pwd
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/confirm-forgot-password.html
aws cognito-idp confirm-forgot-password --confirmation-code <Code> --password <New PWD> --username $USER --client-id $POOL_APP_CLIENT_ID
Efren
  • 4,003
  • 4
  • 33
  • 75
1

Basically that means that your users will not have to verify the email or phone number. Those can be auto verified either by writing a lambda function that verifies them or you could verify them on their behalf from the console.

Once the phone number or email are marked as verified, they can be used by users in a forgotPassword flow, they will basically get a code that they can use to reset the password.

You can also reset the user password on their behalf (from the console) which means that users will not be able to login and will have to complete a forgotPassword flow before logging in. Again, phone number and email can be marked as verified from the console.

Ionut Trestian
  • 5,473
  • 2
  • 20
  • 29
  • 1
    how can get a verify code? because user is not use email or phone. It has only Username. – riseres Feb 02 '17 at 19:57
  • 1
    If your users don't have an email or a phone number, there is no way at this point for an administrator to trigger a password change. They can login and change their passwords, however Cognito requires sending a verification code to either an email address or a phone number to trigger an admin password change. I will mention this request within our team such that we prioritize it accordingly. – Ionut Trestian Feb 02 '17 at 21:22
  • If the cognito user pool is set with "no verification" will the admin be able to set the password now? – Efren Jan 08 '19 at 01:09