Java-based AWS Cognito Pre-Sign-up Lambda Trigger: Automatically confirm user and validate email

Question

I am developing a Java-based AWS Cognito Pre-Sign-up Lambda trigger to automatically confirm the user and set their email as verified.

Per the AWS documentation, "Amazon Cognito passes event information to your Lambda function. The function then returns the same event object back to Amazon Cognito, with any changes in the response." I've seen documentation (and numerous StackOverflow discussions) about how "autoConfirmUser" and "autoVerifyEmail" should be used in a Pre-Sign-up Lambda response; examples are even provided for Node.js and Python.

While it seems straightforward to do similar in Java, I am apparently not returning the expected response and my users are being created without being automagically confirmed and email verified.

With the Function registered and set as the Pre sign-up trigger on my Cognito User Pool, l can see my Lambda is invoked each time a user is created (such as through the admin console using "Create User"). Logging the request coming into the Lambda, the request is:

{
 version = 1, region = us - east - 1, userPoolId = us - east - 1_1 IhOKuyug, userName = user@test.com, callerContext = {
  awsSdkVersion = aws - sdk - unknown - unknown,
  clientId = CLIENT_ID_NOT_APPLICABLE
 }, triggerSource = PreSignUp_AdminCreateUser, request = {
  userAttributes = {
   phone_number = +15555555555,
   email = user@test.com
  },
  validationData = null
 }, response = {
  autoConfirmUser = false,
  autoVerifyEmail = false,
  autoVerifyPhone = false
 }
}

My Lambda is:

public class PreSignUpRequestHandler implements RequestHandler {

  @Override
  public Object handleRequest(Object requestObject, Context context) {

    Map requestObjectMap = (Map) requestObject;

    Map<String, Object> responseData = (Map) requestObjectMap.get("response");
    responseData.put("autoConfirmUser", true);
    responseData.put("autoVerifyEmail", true);
    responseData.put("autoVerifyPhone", false);

    Gson gson = new GsonBuilder().setPrettyPrinting().create();
    String jsonResponse = gson.toJson(requestObject);
    context.getLogger().log("Response JSON: " + jsonResponse);

    return requestObject;
  }

}

Using the AWS Cognito General Settings > Users and Group > Create user, the user is created but the account status is listed as "FORCE_CHANGE_PASSWORD" and the email verified is listed as "-". A user created prior to the Lambda expression being assigned as the trigger that went through the confirmation/validation process has the account status listed as "CONFIRMED" and email verified listed as "true".

Looking at CloudWatch, the above Lambda produced:

Response JSON: 
{
    "version": "1",
    "region": "us-east-1",
    "userPoolId": "us-east-1_1IhOKuyRR",
    "userName": "user@test.com",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-unknown-unknown",
        "clientId": "CLIENT_ID_NOT_APPLICABLE"
    },
    "triggerSource": "PreSignUp_AdminCreateUser",
    "request": {
        "userAttributes": {
            "phone_number": "+5555555555",
            "email": "user@test.com"
        }
    },
    "response": {
        "autoConfirmUser": true,
        "autoVerifyEmail": true,
        "autoVerifyPhone": false
    }
}

Clearly, the user was created and the Lambda was fired. Yet, despite the Lambda returning "autoConfirmUser" and "autoVerifyEmail" as both true, the user was created without these response settings being applied.

What am I missing and what am I doing wrong?

Answer 1

I was able to solve my issue.

The code sample above worked correctly with no changes.

For others that encounter this issue (including my future self), the key piece of information was in a note in the documentation:

NOTE:
Response parameters autoVerifyPhone, autoVerifyEmail and autoConfirmUser are ignored by Amazon Cognito when the Pre Sign-up lambda is triggered by the AdminCreateUser API.

As all of my prior testing was performed in the Admin console, upon reading this I realized I should perform testing from my app. Sure enough, when testing from the app the Lambda worked as expected without modification.

To summarize, when developing a Cognito Pre-Sign-up Lambda trigger the trigger will not produce the desired results (ie: a user confirmed with a verified email) when executed from the AWS admin console UI but will when executed from your application.