We are using AWS Cognito. We add users using the AdminCreateUser API and they receive their temporary password. Unfortunately, some of the them do not login within 7 days (temporary password expiration period), and now when they try to login with their expired temporary password, AWS Cognito returns this error:
User account has expired, it must be reset by an administrator.
For such cases, we remove the user from the user pool and create again. But this is time consuming.
As per the documentation, we can use the same AdminCreateUser API with just the username and MessageAction = RESEND which resend the invitation message to the user that already exists and reset the expiration limit on the user's account.
But we do not want to send the default email, we want to send our own email for that we have been setting the MessageAction = SUPPRESS. And as per the documentation, MessageAction can have only one value either RESEND or SUPPRESS.
Is there any way we can just reset the expiration limit or if we use above approach we should be able to send email from our end and not use default email.
I resolved the issue by sending the following request to the AdminCreateUser API using AWS's .NET client. This approach updates the user's temporary password without triggering the default email from AWS, allowing us to handle email notifications on our end:
var adminCreateUserRequest = new AdminCreateUserRequest
{
UserPoolId = _poolId,
MessageAction = MessageActionType.RESEND,
Username = request.Username,
TemporaryPassword = request.TemporaryPassword,
DesiredDeliveryMediums = new List<string> { "EMAIL" }
};
await _authProvider.AdminCreateUserAsync(adminCreateUserRequest);
In the above code, _authProvider is an instance of AmazonCognitoIdentityProviderClient. The TemporaryPassword represents the new temporary password to be set, and DesiredDeliveryMediums specifies "EMAIL" as the delivery method, since email notifications were disabled when creating the user pool.