How to change User Status FORCE_CHANGE_PASSWORD?
Using AWS Cognito, I want to create dummy users for testing purposes.
I then use the AWS Console to create such user, but the user has its status set to FORCE_CHANGE_PASSWORD. With that value, this user cannot be authenticated.
Is there a way to change this status?
UPDATE Same behavior when creating user from CLI
Answer
I know it's been a while but thought this might help other people who come across this post.
You can use the AWS CLI to change the users password, however it's a multi step process:
Step 1: Get a session token for the desired user:
aws cognito-idp admin-initiate-auth --user-pool-id %USER POOL ID% --client-id %APP CLIENT ID% --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=%USERS USERNAME%,PASSWORD=%USERS CURRENT PASSWORD%
If this returns an error about
Unable to verify secret hash for client, create another app client without a secret and use that client ID.
Step 2: If step 1 is successful, it will respond with the challenge NEW_PASSWORD_REQUIRED, other challenge parameters and the users session key. Then, you can run the second command to issue the challenge response:
aws cognito-idp admin-respond-to-auth-challenge --user-pool-id %USER POOL ID% --client-id %CLIENT ID% --challenge-name NEW_PASSWORD_REQUIRED --challenge-responses NEW_PASSWORD=%DESIRED PASSWORD%,USERNAME=%USERS USERNAME% --session %SESSION KEY FROM PREVIOUS COMMAND with ""%
If you get an error about
Invalid attributes given, XXX is missingpass the missing attributes using the formatuserAttributes.$FIELD_NAME=$VALUE
The above command should return a valid Authentication Result and appropriate Tokens.
Important: For this to work, the Cognito User Pool MUST have an App client configured with ADMIN_NO_SRP_AUTH functionality (Step 5 in this doc).