Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to change password of AWS Cognito User?

Tags:

I'm developing a web application which uses the AWS services backend side. I'm using AWS Cognito to manage the users but I have a problem. When I create a new user (with a temporary password) it is required that I change this password manually to make it definitive. The only way I have to change the password is using AWS Cli, as explained here:

https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/change-password.html

I have to type in the shell the old password, the new password and the Access Token. The problem is: where I find this "Access token"? I don't know what to type in the shell! The AWS Cognito console doen't help.

like image 914
claudioz Avatar asked Sep 20 '17 13:09

claudioz


People also ask

Is it possible to get AWS Cognito user password?

It is not possible to get a user password from AWS Cognito. Cognito just lets the user reset his password but it has got no API call to perform password retrieval and it's not meant to do that for security reasons.

How do I change user in Cognito?

To update a cognito user's attributes use the admin-update-user-attributes command, specifying the user-pool-id , username and user-attributes parameters. Copied! In the example above, we've set the gender attribute of the user to m and their name attribute to john smith .

How does AWS Cognito hash passwords?

Cognito Identity does not receive or store user credentials. Cognito Identity uses the token from the identity provider to obtain a unique identifier for the user and then hashes it using a one-way hash so that the same user can be recognized again in the future without storing the actual user identifier.


1 Answers

The aws cognito-idp change-password can only be used with a user who is able to sign in, because you need the Access token from aws cognito-idp admin-initiate-auth.

But since the user has a temporary password, it will face the NEW_PASSWORD_REQUIRED challenge when trying to sign in.

Here's how I did it:

$ aws cognito-idp admin-create-user  --user-pool-id USERPOOLID  --username [email protected] --desired-delivery-mediums EMAIL --user-attributes Name=email,[email protected]  $ aws cognito-idp initiate-auth --client-id CLIENTID --auth-flow USER_PASSWORD_AUTH --auth-parameters [email protected],PASSWORD="tempPassword" 

Now you get a NEW_PASSWORD_REQUIRED challenge and a very long session token. Use that one to respond to the challenge:

$ aws cognito-idp admin-respond-to-auth-challenge --user-pool-id USERPOOLID --client-id CLIENTID   --challenge-responses "NEW_PASSWORD=LaLaLaLa1234!!!!,[email protected]" --challenge-name NEW_PASSWORD_REQUIRED --session "YourLongSessionToken" 
like image 60
Esben von Buchwald Avatar answered Oct 03 '22 21:10

Esben von Buchwald