3

Is there an admin api to set a temporary password for an existing user and set the account back to "Enabled / FORCE_CHANGE_PASSWORD"?

We are in the early stages of changing authentication in an old winform app to use AWS Cognito. We are not allowed to count on users having email or sms (plant floor). We have created new users in the pool and supplied a first time temporary password. The users are in "Enabled / FORCE_CHANGE_PASSWORD" status. We tested this and the first time they log in with temp password we get the Cognito challenge and they then get the enter new password screen.

I cannot find any page or doc besides AdminCreateUser that sets password and status of account. All seem to rely on flow that involves verified email or phone.

My "google-foo" may be off so asking the question.

Here is the code in a console app we created to add the user...

            var request = new AdminCreateUserRequest()
            {
                Username = user.COGNITO_ID,
                UserPoolId = COGNITO_POOL_ID_USEAST,
                TemporaryPassword = user.Password
            };

            var cognitoClient = new AmazonCognitoIdentityProviderClient(creds, Amazon.RegionEndpoint.USEast1);

            var result = cognitoClient.AdminCreateUserAsync(request).Result;

            return "User created as Enabled / FORCE_CHANGE_PASSWORD";

I could delete and re-add the user (they have no attributes) but want to avoid this.

Scott Mcnitt
  • 33
  • 1
  • 1
  • 4

1 Answers1

3

You can use AdminUpdateUserAttributes to update the Account Status to FORCE_CHANGE_PASSWORD. If that doesn't work you can simple add a custom attribute which acts as a flag for accounts you want to disable. Then you can simply add a lambda post login which checks for this flag and forces user to change his password.

Ninad Gaikwad
  • 4,272
  • 2
  • 13
  • 23
  • 1
    Thanks @Ninad. I will check out the AdminUpdateUserAttributes for Account Status. I think the biggest problem is that I need some sort of temporary password to be set as with the add new user scenario. – Scott Mcnitt Jun 05 '19 at 12:36
  • 3
    You can use this to set a temporary password. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html I think if you select temporary this will take care of the force change automatically. Give it a try. – Ninad Gaikwad Jun 05 '19 at 12:56
  • Well according to the documentation this is exactly what it will do. No need for adminupdateuserattributes. – Ninad Gaikwad Jun 05 '19 at 12:57
  • that looks like exactly what I need! Trying this out today. – Scott Mcnitt Jun 07 '19 at 17:17
  • Great! Let me know how it goes – Ninad Gaikwad Jun 07 '19 at 17:40
  • It worked and setting the request "Permanent" property to false gets me exactly the account status I need and the user is prompted to enter a new password next login. Much thanks to @Ninad Gaikwad – Scott Mcnitt Jun 07 '19 at 19:17
  • That's great! Please upvote and select as correct answer if this solved your problem – Ninad Gaikwad Jun 07 '19 at 19:23
  • 1
    Ninad Gaikwad found AdminSetUserPassword method in the AmazonCognitoIdentityProviderClient was exactly what I needed. Marking his original answer as correct -- not sure how to show the code as example now. – Scott Mcnitt Jun 18 '19 at 14:15