Cognito reset password weird behaviour for the new users: wrong email in CodeDeliveryDetails
I created a new user in AWS Cognito using the AWS Console, and it's currently in a "Force change password" state.
I want to trigger the 'forgotten password' flow immediately without inserting a username and password. So, I executed this Postman request:
curl --location 'https://cognito-idp.eu-central-1.amazonaws.com/' \
--header 'X-Amz-Target: AWSCognitoIdentityProviderService.ForgotPassword' \
--header 'Content-Type: application/x-amz-json-1.1' \
--data '{
"ClientId":"aaaaaaaaabbbbbbbbcccccccdd",
"Username":"brandnewuser"
}'
However, I received this response:
{
"CodeDeliveryDetails": {
"AttributeName": "email",
"DeliveryMedium": "EMAIL",
"Destination": "t***@y***"
}
}
The issue is that the (masked) email is incorrect; it should be something like a***@a*** instead of t***@y***. This can confuse our clients.
Do you have any insights into why this is happening or have you encountered a similar problem? What steps should I take, such as opening a ticket with AWS?
Thank you for your assistance. Ennio
When a user is in the FORCE_CHANGE_PASSWORD state it's not possible to use the ForgotPassword API, as per AWS re:Post Knowledge Center:
The user isn't in a CONFIRMED status
Users created by administrators are in a FORCE_CHANGE_PASSWORD status by default until they sign in with the password provided. Then, users are prompted to change the password.
If the user status is FORCE_CHANGE_PASSWORD, then the ForgotPassword API call can't be used and the verification code isn't sent.
The reason why you are seeing the t***@y*** email address is a security feature to avoid user enumeration (more info on this answer and Cognito Developer Guide), if you disable PreventUserExistenceErrors you'll see the actual error message:
{"__type":"NotAuthorizedException","message":"User password cannot be reset in the current state."}
- Terraform version error when deploying to AWS through jenkins?
- How do I add python libraries to an AWS lambda function for Alexa?
- How do I consume json logs inside Fargate using CDK?
- how to view aws log real time (like tail -f)
- AWS Simple AD create Directory User for AWS WorkSpaces via CLI or CloudFormation
- AWS SSO/AWS Opensearch SAML integration
- Amazon S3 - How to fix 'The request signature we calculated does not match the signature' error?
- Huge difference in CDN invocations vs lambda invocations
- BigQuery Transfer Service does not copy rows from S3
- Textract cannot read object from S3 when running on Lambda
- Can't access external MongoDB Atlas database from Elastic Beanstalk's EC2 instance
- How to disable application logs for EKS Cloudwatch Observability addon and other configurations
- Lambda layer's contents don’t match the S3 object after deploying with Terraform
- Why is a web server (i.e Nginx) REQUIRED for FastAPI but not Express API?
- How to disable an AWS region?
- AWS: Make a resource (e.g. a lambda) public in production but private in development
- How can I set permissions to a specific folder with Elastic Beanstalk using a C# ASP.NET Core app?
- Defining a serverless Aurora database in cloudformation
- AWS Launch Configuration error: The requested configuration is currently not supported
- how to refer to resources created with for_each in terraform
- Visual Studio 2022: AWS Toolkit broken, won't let me reinstall
- AWS role vs iam credential in duckdb HTTPFS call
- AWS BATCH - how to run more concurrent jobs
- Does an AWS routing table only affect outbound traffic?
- Weird ("too smart") Route 53 wildcard behavior
- bash script for AWS assume-role
- How do I translate an AWS S3 url into a bucket name for boto?
- Github actions Configure AWS credentials Error: The security token included in the request is invalid
- AWS API Gateway / AWS Network Load Balancer: request ends in 500 InternalServerErrorException, How to specify the port to forward to?
- AWS CLI - Saving the full output as a log file