After creating a Cognito user with
let AWS = require("aws-sdk");
AWS.config.update({
region: "us-east-1"
});
const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider({
apiVersion: "2016-04-19",
region: "us-east-1"
});
let USER_POOL_ID = "my-cognito-user-pool-id"
var poolData = {
UserPoolId: USER_POOL_ID,
Username: "[email protected]",
DesiredDeliveryMediums: ["EMAIL"],
TemporaryPassword: "Test123456",
UserAttributes: [
{
Name: "email",
Value: "[email protected]"
},
{
Name: "email_verified",
Value: "true"
}
]
};
cognitoidentityserviceprovider.adminCreateUser(poolData, (error, data) => {
console.log(error);
console.log(data);
});
The output of the command is below
{
User: {
Username: 'e9c137e4-6482-4bf5-9fb9-03f764dd0b4b',
Attributes: [ [Object], [Object], [Object] ],
UserCreateDate: 2021-04-27T14:17:43.856Z,
UserLastModifiedDate: 2021-04-27T14:17:43.856Z,
Enabled: true,
UserStatus: 'FORCE_CHANGE_PASSWORD'
}
}
From this output I take the Username
value and use it next to confirm the user with adminConfirmSignUp
command:
var params = {
UserPoolId: USER_POOL_ID,
Username: 'e9c137e4-6482-4bf5-9fb9-03f764dd0b4b',
ClientMetadata: {
'STRING_KEY_1': 'STRING_VALUE_1',
'STRING_KEY_2': 'STRING_VALUE_2'
}
};
cognitoidentityserviceprovider.adminConfirmSignUp(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
But I am getting the error:
NotAuthorizedException: User cannot be confirmed. Current status is FORCE_CHANGE_PASSWORD
Later I found, that I can use adminSetUserPassword
command that was designed to change the user password. It happens it also confirms the user and it works fine, except it doesn't trigger Post Confirmation lambda which I need to be triggered
var params = {
Password: 'New-password',
UserPoolId: USER_POOL_ID,
Username: 'e9c137e4-6482-4bf5-9fb9-03f764dd0b4b',
Permanent: true
};
cognitoidentityserviceprovider.adminSetUserPassword(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
How do I confirm the user created with adminCreateUser
command. I don't want to use the adminSetUserPassword
to confirm it. I would rather use the adminConfirmSignUp
command that should confirm the user and trigger the Post Confirmation lambda. Please advise.
This is a known issue with cognito. The following workaround might suit your use-case depending on what behavior you expect.
Perform a check in a post-authentication handler and do your post confirmation logic there as well as in your post-confirmation handler.
def handler(event, _):
''' handle post auth event '''
status = event['request']['userAttributes']['cognito:user_status']
# If the status hasn't been confirmed yet, we can assume it now is
if status == 'FORCE_CHANGE_PASSWORD':
# Do Something
return event
AdminConfirmSignUp
still won't call the post-confirmation handler so don't waste your time to get it working. If you want to perform some logic as part of a user provisioning step just call the handler yourself, don't count on cognito making sense.