Created
January 29, 2017 18:37
-
-
Save kdgregory/755857c0b090d967e0166a1a64f77845 to your computer and use it in GitHub Desktop.
Examples of unexpected behavior from Cognito IDP; see comments
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java.util.HashMap; | |
import java.util.Map; | |
import com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient; | |
import com.amazonaws.services.cognitoidp.model.*; | |
/** | |
* Demonstrates that it's possible to login with the original credentials | |
* after initiating the Forgot Password flow. | |
*/ | |
public class ForgotPasswordExample | |
{ | |
public static void main(String[] argv) | |
throws Exception | |
{ | |
String poolId = "REDACTED"; | |
String clientId = "REDACTED"; | |
String username = "test@mailinator.com"; | |
String password = "Test1234"; | |
AWSCognitoIdentityProviderClient cognitoClient = new AWSCognitoIdentityProviderClient(); | |
ForgotPasswordRequest request1 = new ForgotPasswordRequest() | |
.withClientId(clientId) | |
.withUsername(username); | |
ForgotPasswordResult response1 = cognitoClient.forgotPassword(request1); | |
System.out.println("result of marking password forgotten: " + response1); | |
Map<String,String> authParams = new HashMap<String,String>(); | |
authParams.put("USERNAME", username); | |
authParams.put("PASSWORD", password); | |
AdminInitiateAuthRequest request2 = new AdminInitiateAuthRequest() | |
.withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH) | |
.withAuthParameters(authParams) | |
.withClientId(clientId) | |
.withUserPoolId(poolId); | |
AdminInitiateAuthResult response2 = cognitoClient.adminInitiateAuth(request2); | |
System.out.println("authentication result: " + response2); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"UserPool": { | |
"AdminCreateUserConfig": { | |
"UnusedAccountValidityDays": 7, | |
"AllowAdminCreateUserOnly": false | |
}, | |
"MfaConfiguration": "OFF", | |
"Name": "example", | |
"LastModifiedDate": 1485631811.213, | |
"SmsConfiguration": { | |
"ExternalId": "97c3442e-3414-4240-8ced-1c3064717cc0", | |
"SnsCallerArn": "arn:aws:iam::REDACTED:role/service-role/example-SMS-Role" | |
}, | |
"EmailConfiguration": {}, | |
"AutoVerifiedAttributes": [ | |
"email" | |
], | |
"Policies": { | |
"PasswordPolicy": { | |
"RequireLowercase": true, | |
"RequireSymbols": false, | |
"RequireNumbers": true, | |
"MinimumLength": 8, | |
"RequireUppercase": true | |
} | |
}, | |
"UserPoolTags": {}, | |
"CreationDate": 1485103042.702, | |
"EstimatedNumberOfUsers": 3, | |
"Id": "REDACTED", | |
"LambdaConfig": {}, | |
"SchemaAttributes": [ | |
{ | |
"Name": "sub", | |
"StringAttributeConstraints": { | |
"MinLength": "1", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": true, | |
"AttributeDataType": "String", | |
"Mutable": false | |
}, | |
{ | |
"Name": "name", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "given_name", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "family_name", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "middle_name", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "nickname", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "preferred_username", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "profile", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "picture", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "website", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "email", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": true, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"AttributeDataType": "Boolean", | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"Name": "email_verified", | |
"Mutable": true | |
}, | |
{ | |
"Name": "gender", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "birthdate", | |
"StringAttributeConstraints": { | |
"MinLength": "10", | |
"MaxLength": "10" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "zoneinfo", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "locale", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "phone_number", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"AttributeDataType": "Boolean", | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"Name": "phone_number_verified", | |
"Mutable": true | |
}, | |
{ | |
"Name": "address", | |
"StringAttributeConstraints": { | |
"MinLength": "0", | |
"MaxLength": "2048" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "String", | |
"Mutable": true | |
}, | |
{ | |
"Name": "updated_at", | |
"NumberAttributeConstraints": { | |
"MinValue": "0" | |
}, | |
"DeveloperOnlyAttribute": false, | |
"Required": false, | |
"AttributeDataType": "Number", | |
"Mutable": true | |
} | |
] | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package com.kdgregory.sandbox.aws; | |
import java.util.HashMap; | |
import java.util.Map; | |
import java.util.Scanner; | |
import com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient; | |
import com.amazonaws.services.cognitoidp.model.*; | |
/** | |
* Demonstrates that sending a temporary password via email is not sufficient | |
* to mark email as verified. | |
*/ | |
public class SignupEmailExample | |
{ | |
@SuppressWarnings("resource") | |
public static void main(String[] argv) | |
throws Exception | |
{ | |
String poolId = "REDACTED"; | |
String clientId = "REDACTED"; | |
String username = "test@mailinator.com"; | |
String password = "Test1234"; | |
AWSCognitoIdentityProviderClient cognitoClient = new AWSCognitoIdentityProviderClient(); | |
System.out.println("making create-user request"); | |
AdminCreateUserRequest request1 = new AdminCreateUserRequest() | |
.withUserPoolId(poolId) | |
.withUsername(username) | |
.withUserAttributes( | |
new AttributeType() | |
.withName("email") | |
.withValue(username)) | |
.withDesiredDeliveryMediums(DeliveryMediumType.EMAIL) | |
.withForceAliasCreation(Boolean.FALSE); | |
AdminCreateUserResult response1 = cognitoClient.adminCreateUser(request1); | |
System.out.println("create user response: " + response1); | |
System.out.print("enter temporary password: "); | |
String tempPassword = new Scanner(System.in).next(); | |
Map<String,String> authParams = new HashMap<String,String>(); | |
authParams.put("USERNAME", username); | |
authParams.put("PASSWORD", tempPassword); | |
AdminInitiateAuthRequest request2 = new AdminInitiateAuthRequest() | |
.withClientId(clientId) | |
.withUserPoolId(poolId) | |
.withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH) | |
.withAuthParameters(authParams); | |
AdminInitiateAuthResult response2 = cognitoClient.adminInitiateAuth(request2); | |
System.out.println("initial auth response: " + response2); | |
if (response2.getChallengeName().equals(ChallengeNameType.NEW_PASSWORD_REQUIRED.toString())) | |
{ | |
Map<String,String> challengeResponses = new HashMap<String,String>(); | |
challengeResponses.put("USERNAME", username); | |
challengeResponses.put("PASSWORD", tempPassword); | |
challengeResponses.put("NEW_PASSWORD", password); | |
AdminRespondToAuthChallengeRequest request3 = new AdminRespondToAuthChallengeRequest() | |
.withClientId(clientId) | |
.withUserPoolId(poolId) | |
.withChallengeName(ChallengeNameType.NEW_PASSWORD_REQUIRED) | |
.withChallengeResponses(challengeResponses) | |
.withSession(response2.getSession()); | |
AdminRespondToAuthChallengeResult response3 = cognitoClient.adminRespondToAuthChallenge(request3); | |
System.out.println("response to challenge: " + response3); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When you run
ForgotPasswordExample
, Cognito sends a verification code to the registered email address but then allows the user to sign in with the existing password. I would expect it to force password change, as withAdminResetUserPassword
For
SignupEmailExample
, I would expect that the email containing the temporary password would be sufficient to mark the account as verified.