UserMFASettingList field of AdminGetUserResponse is empty
I need to determine the MFA configuration for a specific Cognito user via SDK.
My current logic is based on AdminGetUser API and in particular on userMFASettingList and preferredMfaSetting response fields.
As per https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/modules/admingetuserresponse.html#usermfasettinglist,
userMFASettingList is defined as
The MFA options that are activated for the user. The possible values in this list are SMS_MFA and SOFTWARE_TOKEN_MFA.
while mfaOptions is marked as deprecated and its use is discouraged.
I tested a pool with mandatory SMS MFA but userMFASettingList is empty, despite being able to complete the MFA challenge and log in successfully via Cognito Hosted UI.
Is this a bug? What logic should I use?
Is this a bug?
Seems like it.
Unless you call AdminSetUserMFAPreference at least once, UserMFASettingList will always be empty by default in a AdminGetUser call even if MFAOptions is correctly populated.
This is not returned / empty at an API level, so the SDK doesn't make a difference here.
- Create user
- Go through setting up MFA
- Note that console says 'MFA methods: SMS'
- Call
AdminGetUserand check thatUserMFASettingListis empty whileMFAOptionsis populated - Call
AdminSetUserMFAPreferenceto 'reassert' the SMS MFA option - Call
AdminGetUseragain and check that bothUserMFASettingList&MFAOptionsare now populated, even though you practically didn't change anything
➜ ~ aws cognito-idp admin-get-user \
--region eu-west-1 \
--user-pool-id xxx \
--username user1 \
| jq .
{
"Username": "user1",
"UserAttributes": [
...
],
"UserCreateDate": "xxx",
"UserLastModifiedDate": "xxx",
"Enabled": true,
"UserStatus": "CONFIRMED",
"MFAOptions": [
{
"DeliveryMedium": "SMS",
"AttributeName": "phone_number"
}
]
}
➜ ~ aws cognito-idp admin-set-user-mfa-preference \
--user-pool-id xxx \
--username user1 \
--sms-mfa-settings Enabled=true
➜ ~ aws cognito-idp admin-get-user \
--region eu-west-1 \
--user-pool-id xxx \
--username user1 \
| jq .
{
"Username": "user1",
"UserAttributes": [
...
],
"UserCreateDate": "xxx",
"UserLastModifiedDate": "xxx",
"Enabled": true,
"UserStatus": "CONFIRMED",
"MFAOptions": [
{
"DeliveryMedium": "SMS",
"AttributeName": "phone_number"
}
],
"UserMFASettingList": [
"SMS_MFA"
]
}
I need to determine the MFA configuration for a specific Cognito user via SDK.
What logic should I use?
Sadly, you can't easily do it.
You need a combination of PreferredMfaSetting & UserMFASettingList to be able to determine the MFA configuration for a user. With the above bug (as far as I can see) fixed, even if UserMFASettingList is populated correctly first time round, that's just a list of available MFA options for the user. It's not what the user has selected.
There isn't a CurrentMfaSetting field returned by the Cognito API.
- Changing the name of a Load Balancer on AWS Console
- Timeout when trying to retrieve EC2 instance-id metadata from within it
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- Downloading an entire S3 bucket?
- Unable to unzip .zip file on linux machine
- Missing Authentication Token while accessing API Gateway?
- AWS S3 Access Denied when open object URL in browser
- AWS Lambda NodeJs unable to return response
- How can I access my AWS MSK managed kafka queue from my local machine and EC2 instances in other regions
- How to recreate EC2 instances of an autoscaling group with terraform?
- AWS Cloudwatch Alarm Issue
- AWS EC2 | using Rusoto SDK: Couldn't find AWS credentials
- How to enable "Use for Hive table metadata" in "AWS Glue Data Catalog settings" using Terraform?
- Determine if instance is a part of some AutoScaling Group in AWS
- Difference bw "start_of_file" and "end_of_file" in AWS cloud agent configuration
- not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action
- Environment specific ebextensions Beanstalk commands
- Deleting records from a DynamoDB table where the TTL value has been set incorrectly
- MySQL/Amazon RDS error: "you do not have SUPER privileges..."
- Is EC2 t3.micro created by ECS cluster eligible for free tier?
- Amazon Neptune OpenCypher - What is the cause for "Operation terminated (internal error)" when using SET after MERGE?
- AWS SAM CLI cannot access Dynamo DB when function is invoked locally
- EC2 instance connect : There was a problem setting up the instance connection
- Wildcard filter in aws-nuke
- Add advanced validation for AWS::Serverless::Api GET query params
- Organizing AWS IAM permissions: limit of 10 policies?
- AWS: S3 Bucket AWS You can't grant public access because Block public access settings are turned on for this account
- failed calling webhook "vingress.elbv2.k8s.aws"
- terraform tags for list variable not working
- Amazon SES successfully forwarded emails but respond with 451 4.3.0 This message could not be delivered