I need to restore or reset user password when his status is <code>FORCE_CHANGE_PASSWORD</code>. This situation happened when user try to restore password using "forgot password" feature and he lost email with temporary password. Now he can't do anything because he don't remember password and he can't reset password again This code handle forgot password <pre class="prettyprint"><code>return CognitoIdentitySP.forgotPassword(params, (err, resp) => { if (err) { ... } ... }) </code></pre> And I receive error (in case of <code>FORCE_CHANGE_PASSWORD</code> status) <code>NotAuthorizedException: User password cannot be reset in the current state. </code> Is there any way to reset password in such state?

You can use aws-cli to do it. Here is a sample command, replace <code>POOL_ID</code> and <code>EMAIL_ADDRESS</code> accordingly: <pre class="prettyprint"><code>aws cognito-idp admin-create-user --user-pool-id <POOL_ID> --username <EMAIL_ADDRESS> --message-action RESEND --profile <AWS_PROFILE> </code></pre>

Restore password for FORCE_CHANGE

I need to restore or reset user password when his status is FORCE_CHANGE_PASSWORD. This situation happened when user try to restore password using "forgot password" feature and he lost email with temporary password. Now he can't do anything because he don't remember password and he can't reset password again

This code handle forgot password

return CognitoIdentitySP.forgotPassword(params, (err, resp) => {
  if (err) { ... }
  ...
})

And I receive error (in case of FORCE_CHANGE_PASSWORD status)

NotAuthorizedException: User password cannot be reset in the current state.

Is there any way to reset password in such state?

How to change user status FORCE_ change_ password?

In order to change a Cognito user's status from FORCE_CHANGE_PASSWORD to CONFIRMED , we have to change their password. To change a Cognito user's password, use the admin-set-password command, setting the --permanent parameter. Copied!

How to change password in AWS Cognito?

The access token is retrieved by logging the user in. You can get this token by running the aws cli command aws cognito-idp admin-initiate-auth for the user (Found here). This will require you to have root credentials for the cognito pool, which I assume you have.

Is it possible to get AWS Cognito user password?

It is not possible to get a user password from AWS Cognito. Cognito just lets the user reset his password but it has got no API call to perform password retrieval and it's not meant to do that for security reasons.

You can use aws-cli to do it. Here is a sample command, replace POOL_ID and EMAIL_ADDRESS accordingly:

aws cognito-idp admin-create-user --user-pool-id <POOL_ID> --username <EMAIL_ADDRESS> --message-action RESEND --profile <AWS_PROFILE>

You can also use the admin-set-user-password command in this situation of the temporary password being lost or expired:

aws cognito-idp admin-set-user-password --user-pool-id <POOL_ID> --username <USERNAME> --password <PASSWORD> --no-permanent

This will set a new temporary password of whatever you set the password to be but importantly will force the user to set a new password as soon as they log in, so security is maintained.

You will need to communicate this to the user but we found this extremely useful when your company's security policies prevent you from being able to run the create user command.

Restore password for FORCE_CHANGE_PASSWORD status

Tags:

amazon-web-services

amazon-cognito

Bogdan

People also ask

2 Answers

Qinjie

Andrew

Recent Activity

Donate For Us