Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Cognito - PostSignUp Trigger Not Working

i have a post signup trigger setup to store the user details in DynamoDb table. This works fine when the user signs up on their own through the front-end but the trigger is never invoked if the user is created through AdminCreateUser API. Our assumption was after the newly added user gets an email with a temporary password and logins through the front-end, Cognito will invoke the postsignup trigger.

Is that an expected behavior? And also, how do we address this issue?

like image 877
Emon Avatar asked Feb 14 '20 18:02

Emon


People also ask

How do you add post confirmation in Lambda trigger?

Post confirmation request parameters You can pass this data to your Lambda function by using the ClientMetadata parameter in the following API actions: AdminConfirmSignUp, ConfirmForgotPassword, ConfirmSignUp, and SignUp.

How do I Auto verify Cognito?

In the response, you can set autoConfirmUser to true if you want to auto-confirm the user. You can set autoVerifyEmail to true to auto-verify the user's email. You can set autoVerifyPhone to true to auto-verify the user's phone number.

What is callback URL in Cognito?

A callback URL indicates where the user will be redirected after a successful sign-in. Enter Sign out URL(s). A sign-out URL indicates where your user will be redirected after signing out. Select Authorization code grant to return an authorization code that is then exchanged for user pool tokens.

Can Cognito do authorization?

An authorization code grant is a code parameter that Amazon Cognito appends to your redirect URL. Your app can exchange the code with the Token endpoint for access, ID, and refresh tokens. As a security best practice, and to receive refresh tokens for your users, use an authorization code grant in your app.


1 Answers

Although that's counter intuitive, seems that's the expected behavior.

Post Confirmation trigger is not invoked when a user is created via AdminCreateUser API.

Workaround could be to to use Post Authentication trigger and during processing of the fired event to check if cognito:user_status is FORCE_CHANGE_PASSWORD.

When a user is created using AdminCreateUser, status of the new user is set to FORCE_CHANGE_PASSWORD. Once user logs in and changes temporary password, status is changed to CONFIRMED.

Downside is that trigger is invoked after every login.

like image 52
a1eksandre Avatar answered Sep 23 '22 15:09

a1eksandre