如何更改用户状态FORCE_CHANGE_PASSWORD？

Question

使用AWS Cognito,我想创建虚拟用户以进行测试.

然后,我使用AWS控制台创建此类用户,但用户的状态设置为FORCE_CHANGE_PASSWORD.使用该值,无法对此用户进行身份验证.

有没有办法改变这种状态？

UPDATE从CLI创建用户时的相同行为

Answer 1

我知道已经有一段时间了,但是认为这可能有助于遇到这篇文章的其他人.

您可以使用AWS CLI更改用户密码,但这是一个多步骤过程:
步骤1,获取所需用户的会话令牌:
Unable to verify secret hash for client

这将响应挑战"NEW_PASSWORD_REQUIRED",其他挑战参数和用户会话密钥.然后,您可以运行第二个命令来发出质询响应:
NEW_PASSWORD_REQUIRED

这应返回有效的身份验证结果和适当的令牌.

为此,Cognito用户池必须具有配置有ADMIN_NO_SRP_AUTH功能的App客户端.(注意步骤5 http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html)

Answer 2

您可以通过在用户上调用respondToAuthChallenge ()来更改该用户状态FORCE_CHANGE_PASSWORD,如下所示:

var params = {
  ChallengeName: 'NEW_PASSWORD_REQUIRED', 
  ClientId: 'your_own3j6...0obh',
  ChallengeResponses: {
    USERNAME: 'user3',
    NEW_PASSWORD: 'changed12345'
  },
  Session: 'xxxxxxxxxxZDMcRu-5u...sCvrmZb6tHY'
};

cognitoidentityserviceprovider.respondToAuthChallenge(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

在此之后,您将在控制台中看到user3状态为CONFIRMED

Answer 3

只需onSuccess: function (result) { ... },在登录功能中添加此代码即可.您的用户将具有CONFIRMED状态.

newPasswordRequired: function(userAttributes, requiredAttributes) {
    // User was signed up by an admin and must provide new
    // password and required attributes, if any, to complete
    // authentication.

    // the api doesn't accept this field back
    delete userAttributes.email_verified;

    // unsure about this field, but I don't send this back
    delete userAttributes.phone_number_verified;

    // Get these details and call
    cognitoUser.completeNewPasswordChallenge(newPassword, userAttributes, this);
}

Answer 4

对不起,您遇到了困难.我们没有一步到位的流程,您只需创建用户并直接对其进行身份验证即可.我们将来可能会对此进行更改,例如允许管理员设置用户可直接使用的密码.目前,当您使用AdminCreateUser或通过使用应用程序注册用户来创建用户时,需要执行额外的步骤,强制用户在登录时更改密码或让用户验证电子邮件或电话号码以更改用户的状态CONFIRMED.

Answer 5

最终将其添加到AWSCLI：https ://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-set-user-password.html

您可以使用以下方法更改用户密码并更新状态：

aws cognito-idp admin-set-user-password --user-pool-id <your user pool id> --username user1 --password password --permanent

使用此方法之前，您可能需要使用以下方法更新AWS CLI：

pip3 install awscli --upgrade

Answer 6

对于 Java SDK，假设您的 Cognito 客户端已设置并且您的用户处于 FORCE_CHANGE_PASSWORD 状态，您可以执行以下操作来确认您的用户...然后正常进行身份验证。

AdminCreateUserResult createUserResult = COGNITO_CLIENT.adminCreateUser(createUserRequest());

AdminInitiateAuthResult authResult = COGNITO_CLIENT.adminInitiateAuth(authUserRequest());


Map<String,String> challengeResponses = new HashMap<>();
challengeResponses.put("USERNAME", USERNAME);
challengeResponses.put("NEW_PASSWORD", PASSWORD);
RespondToAuthChallengeRequest respondToAuthChallengeRequest = new RespondToAuthChallengeRequest()
      .withChallengeName("NEW_PASSWORD_REQUIRED")
      .withClientId(CLIENT_ID)
      .withChallengeResponses(challengeResponses)
      .withSession(authResult.getSession());

COGNITO_CLIENT.respondToAuthChallenge(respondToAuthChallengeRequest);

希望它对这些集成测试有所帮助（抱歉格式问题）

Answer 7

不知道您是否仍在与之抗争，但是仅创建了一组测试用户，我awscli就这样使用了：

1. 使用cognito-idp的signup-up命令创建用户

aws cognito-idp sign-up \
   --region %aws_project_region% \
   --client-id %aws_user_pools_web_client_id% \
   --username %email_address% \
   --password %password% \
   --user-attributes Name=email,Value=%email_address%

2. 使用admin-confirm-sign-up确认用户

aws cognito-idp admin-confirm-sign-up \
--user-pool-id %aws_user_pools_web_client_id% \
--username %email_address%

Answer 8

基本上这是相同的答案，但对于 .Net C# SDK：

以下将使用所需的用户名和密码创建完整的管理员用户。具有以下用户模型：

public class User
{
    public string Username { get; set; }
    public string Password { get; set; }
}

您可以创建一个用户并使其可供使用：

   public void AddUser(User user)
    {
        var tempPassword = "ANY";
        var request = new AdminCreateUserRequest()
        {
            Username = user.Username,
            UserPoolId = "MyuserPoolId",
            TemporaryPassword = tempPassword
        };
        var result = _cognitoClient.AdminCreateUserAsync(request).Result;
        var authResponse = _cognitoClient.AdminInitiateAuthAsync(new AdminInitiateAuthRequest()
        {
            UserPoolId = "MyuserPoolId",
            ClientId = "MyClientId",
            AuthFlow = AuthFlowType.ADMIN_NO_SRP_AUTH,
            AuthParameters = new Dictionary<string, string>()
            {
                {"USERNAME",user.Username },
                {"PASSWORD", tempPassword}
            }
        }).Result;
        _cognitoClient.RespondToAuthChallengeAsync(new RespondToAuthChallengeRequest()
        {
         ClientId = "MyClientId",
            ChallengeName = ChallengeNameType.NEW_PASSWORD_REQUIRED,
            ChallengeResponses = new Dictionary<string, string>()
            {
                {"USERNAME",user.Username },
                {"NEW_PASSWORD",user.Password }
            },
            Session = authResponse.Session
        });
    }

Answer 9

You can solve this using the amazon-cognito-identity-js SDK by authenticating with the temporary password after the account creation with cognitoidentityserviceprovider.adminCreateUser(), and running cognitoUser.completeNewPasswordChallenge() within cognitoUser.authenticateUser( ,{newPasswordRequired}) - all inside the function that creates your user.

I am using the below code inside AWS lambda to create enabled Cognito user accounts. I am sure it can be optimized, be patient with me. This is my first post, and I am still pretty new to JavaScript.

var AWS = require("aws-sdk");
var AWSCognito = require("amazon-cognito-identity-js");

var params = {
    UserPoolId: your_poolId,
    Username: your_username,
    DesiredDeliveryMediums: ["EMAIL"],
    ForceAliasCreation: false,
    MessageAction: "SUPPRESS",
    TemporaryPassword: your_temporaryPassword,
    UserAttributes: [
        { Name: "given_name", Value: your_given_name },
        { Name: "email", Value: your_email },
        { Name: "phone_number", Value: your_phone_number },
        { Name: "email_verified", Value: "true" }
    ]
};

var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
let promise = new Promise((resolve, reject) => {
    cognitoidentityserviceprovider.adminCreateUser(params, function(err, data) {
        if (err) {
            reject(err);
        } else {
            resolve(data);
        }
    });
});

promise
    .then(data => {
        // login as new user and completeNewPasswordChallenge
        var anotherPromise = new Promise((resolve, reject) => {
            var authenticationDetails = new AWSCognito.AuthenticationDetails({
                Username: your_username,
                Password: your_temporaryPassword
            });
            var poolData = {
                UserPoolId: your_poolId,
                ClientId: your_clientId
            };
            var userPool = new AWSCognito.CognitoUserPool(poolData);
            var userData = {
                Username: your_username,
                Pool: userPool
            };

            var cognitoUser = new AWSCognito.CognitoUser(userData);
            let finalPromise = new Promise((resolve, reject) => {
                cognitoUser.authenticateUser(authenticationDetails, {
                    onSuccess: function(authResult) {
                        cognitoUser.getSession(function(err) {
                            if (err) {
                            } else {
                                cognitoUser.getUserAttributes(function(
                                    err,
                                    attResult
                                ) {
                                    if (err) {
                                    } else {
                                        resolve(authResult);
                                    }
                                });
                            }
                        });
                    },
                    onFailure: function(err) {
                        reject(err);
                    },
                    newPasswordRequired(userAttributes, []) {
                        delete userAttributes.email_verified;
                        cognitoUser.completeNewPasswordChallenge(
                            your_newPoassword,
                            userAttributes,
                            this
                        );
                    }
                });
            });

            finalPromise
                .then(finalResult => {
                    // signout
                    cognitoUser.signOut();
                    // further action, e.g. email to new user
                    resolve(finalResult);
                })
                .catch(err => {
                    reject(err);
                });
        });
        return anotherPromise;
    })
    .then(() => {
        resolve(finalResult);
    })
    .catch(err => {
        reject({ statusCode: 406, error: err });
    });

Answer 10

如果您尝试从控制台以管理员身份更改状态。然后在创建用户后按照以下步骤操作。

1. 在 Cognito 中转到->“管理用户池”->
2. 转到“应用程序集成”部分下的“应用程序客户端设置”。
3. 检查以下项目 i) Cognito 用户池 ii) 授权代码授予 iii) 隐式授予 iv) 电话 v) 电子邮件 vi) openid vii) aws.cognito.signin.user.admin viii) 个人资料
4. 输入应用程序的回调 URL。如果您不确定输入例如：https : //google.com和更高版本，您可以将其更改为您的实际回调网址
5. 单击保存更改。
6. 保存更改后，单击链接“Launch Hosted UI”
7. 输入新创建的用户的凭据
8. 使用新凭据重置密码并将其共享给用户

第2步

步骤 3 4 5 6

第 7 步

第 8 步