Imported User (RESET_REQUIRED) throws InvalidParameterException on signIn

[karasahinemre]

Describe the bug
Imported User (RESET_REQUIRED) throws InvalidParameterException on AWSMobileClient.default().signIn(username: email, password: password)

To Reproduce
Steps to reproduce the behavior:

1. Import user via .csv file
2. Make sure user state is RESET_REQUIRED
3. Sign in with AWSMobileClient.default().signIn(username: email, password: password)
4. See error is invalidParameter

Expected behavior
It should be passwordResetRequired exception

Environment(please complete the following information):

• SDK Version: 2.12.3
• Dependency Manager: Cocoapods
• Swift Version : 5.0

Device Information:

• Device: iPhone XR
• iOS Version: iOS 13.3.1
• Specific to simulators: No

[wooj2]

@karasahinemre - thanks for taking the time to report this. Can you please provide us a sample .csv file (without any sensitive data) so we can try and reproduce this issue?

Thank you

[karasahinemre]

Hello you can find example csv file from below.

https://we.tl/t-AlzGVMbqSx

[wooj2]

@karasahinemre - Sorry for the delay. I've looked into this issue, and I think it is a misunderstanding our APIs.

It is actually expected behavior that the Cognito Service returns an error (which then returns an error in the SDK) in the event that you are calling AWSMobileClient.default().signIn(username: email, password: password) when the user is in a RESET_REQUIRED state. In a custom login UI scenario, it is the developer's responsibility to:

1. Detect this error
2. Prompt the user that their password is required to be updated (optional, but recommended)
3. Direct the user through a Forgot Password UI flow (so that the customer can reset their password -- again, optional but recommended)

The Forgot Password UI flow involves first calling:

 AWSMobileClient.default().forgotPassword(username: username)

(Successful completion of this call should send a one time password/confirmation code to the user)

and then:

AWSMobileClient.default().confirmForgotPassword(username: username, newPassword: newPassword, confirmationCode: confirmationCode)

More information can be found here:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool-password-reset.html

On a side note, I also noticed that you are using a slightly outdated version of our SDK. We always recommend upgrading to our latest version 2.12.7 if possible.

Hope this helps and best of luck. I am optimistically closing this ticket, but if you have further problems, feel free to re-open.

[karasahinemre]

I think you misunderstood me.

I know the flow. SDK has to be return passwordResetRequired but it returns invalidParameter instead.

This issue already exists in Android and JS SDK too.

aws-amplify/amplify-js#4516 --> JS
aws-amplify/aws-sdk-android#1377 --> Android

[wooj2]

Oops, so sorry I misunderstood you, and thanks for your patience!

Unfortunately, I am unable to reproduce the "InvalidParameterException". Is it possible to turn on additional logging to further debug this issue? You can add the following to your app delegate to turn on debug logging, for example:

func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions:...)-> Bool {
        AWSDDLog.sharedInstance.logLevel = .debug
        AWSDDLog.add(AWSDDTTYLogger.sharedInstance)
}

Then attempt to sign in and capture the request headers and response header & body? (Note that the request body would be nice to see, but might be too much work to scrub out any sensitive data)

For example, in attempting to reproduce your issue, my request headers look like this:

2020-02-21 16:18:03:966 SampleCognitoCustomUI[1470:18945162] Request headers:
{
    "Content-Type" = "application/x-amz-json-1.1";
    Host = "cognito-idp.us-west-2.amazonaws.com";
    "User-Agent" = "aws-sdk-iOS/2.12.3 iOS/13.2.2 en_US aws-amplify/cli";
    "X-Amz-Date" = 20200222T001803Z;
    "X-Amz-Target" = "AWSCognitoIdentityProviderService.InitiateAuth";
}

And my response header/body look like:

2020-02-21 16:18:04:223 SampleCognitoCustomUI[1470:18946264] Response headers:
{
    "Content-Length" = 92;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Sat, 22 Feb 2020 00:18:04 GMT";
    "x-amzn-errormessage" = "Password reset required for the user";
    "x-amzn-errortype" = "PasswordResetRequiredException:";
    "x-amzn-requestid" = "---------REDACTED-----------";
}
2020-02-21 16:18:04:223 SampleCognitoCustomUI[1470:18946264] Response body:
{"__type":"PasswordResetRequiredException","message":"Password reset required for the user"}
Error occurred: The operation couldn’t be completed. (AWSMobileClient.AWSMobileClientError error 14.)

[karasahinemre]

This user imported via provided .csv file and has no password.

Headers

Request headers:
{
    "Content-Type" = "application/x-amz-json-1.1";
    Host = "cognito-idp.eu-west-1.amazonaws.com";
    "User-Agent" = "aws-sdk-iOS/2.12.3 iOS/13.3 en MobileHub/1.0";
    "X-Amz-Date" = 20200222T234245Z;
    "X-Amz-Target" = "AWSCognitoIdentityProviderService.InitiateAuth";
}

Response headers:
{
    "Content-Length" = 70;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Sat, 22 Feb 2020 23:42:45 GMT";
    "x-amzn-errormessage" = "Invalid input given";
    "x-amzn-errortype" = "InvalidParameterException:";
    "x-amzn-requestid" = "c6158f64-c6e6-4992-8ae4-56f5b8966c78";
}

Body

Request body:
{"UserContextData":{"EncodedData":"eyJwYXlsb2FkIjoie1widXNlcm5hbWVcIjpcImdpemVtZGVuZW1lM0BtYWlsaW5hdG9yLmNvbVwiLFwiY29udGV4dERhdGFcIjp7XCJBcHBsaWNhdGlvblZlcnNpb25cIjpcIjAuMS41MS0xXCIsXCJIYXNTaW1DYXJkXCI6XCJmYWxzZVwiLFwiUGhvbmVUeXBlXCI6XCJ4ODZfNjRcIixcIkRldmljZUlkXCI6XCJlNjc2MTZhYy0zMWYxLTRlZmItOTgxZi1jYjYzNWQ2ODcyMThcIixcIlNjcmVlbldpZHRoUGl4ZWxzXCI6XCI3NTBcIixcIlBsYXRmb3JtXCI6XCJpT1NcIixcIlNjcmVlbkhlaWdodFBpeGVsc1wiOlwiMTMzNFwiLFwiQXBwbGljYXRpb25UYXJnZXRTZGtcIjpcIjgwMDAwXCIsXCJBcHBsaWNhdGlvbk5hbWVcIjpcImNvbS52ZXN0ZWwuZHJpdmVncmVlblwiLFwiRGV2aWNlT3NSZWxlYXNlVmVyc2lvblwiOlwiMTMuM1wiLFwiRGV2aWNlRmluZ2VycHJpbnRcIjpcIkFwcGxlXFxcL2lQaG9uZVxcXC94ODZfNjRcXFwvLToxMy4zXFxcLy1cXFwvLTotXFxcL2RlYnVnXCIsXCJUaGlyZFBhcnR5RGV2aWNlSWRcIjpcIkE0NTk3RUExLUQzQTctNEJBRC05ODU3LTUwMkVDQkY0NDQwOFwiLFwiRGV2aWNlTGFuZ3VhZ2VcIjpcImVuXCIsXCJDbGllbnRUaW1lem9uZVwiOlwiKzAzOjAwXCIsXCJCdWlsZFR5cGVcIjpcImRlYnVnXCIsXCJEZXZpY2VOYW1lXCI6XCJpUGhvbmUgOFwifSxcInVzZXJQb29sSWRcIjpcImV1LXdlc3QtMV96QzdyRFVMYVVcIixcInRpbWVzdGFtcFwiOlwiMTU4MjQxNDk2NTI4MlwifSIsInZlcnNpb24iOiJJT1MyMDE3MTExNCIsInNpZ25hdHVyZSI6IldHTzlsa3p5STBYQ3o3TmdIVXJSQkNUbTVQUlpjZExqUmJYY083TnRyaU09In0="},"ClientMetadata":{"cognito:deviceName":"iPhone 8","cognito:bundleShortV":"0.1.51","cognito:idForVendor":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","cognito:bundleVersion":"1","cognito:bundleId":"com.xxx.xxxxxx","cognito:model":"iPhone","cognito:systemName":"iOS","cognito:iOSVersion":"13.3"},"AuthParameters":{"SRP_A":"d08891825da636ccce6bd7a01d94aaf7967c8400750781eb15818eeb37cd92c49fad61c41b8cfa2b7cccffe41902d79d2cddc04bfaec39b31d7cd4353da2d187dfec09c5a58ed4953565985a58792ef0f1baec8f2e3278d7ca45870be9abf8cd967412731178c9cbc31e2cf67750bf945fb6a4f36ba541b01d8a08a431f8b109732e3155bd0ac309de71488ae6cede311a8d7d6aca7e3cf99799ce865c1c360787cb47820a93cb02de94ccc8b3bc5e90f5b1365c4fe819eacd8386c4eb426ec4b58057096d25be6d61acd06366d63ef226b01da173286466305ed74b79ef84f8f9f4072224b45d907dd4e0d415c1d96bea4292c98a2acefc803a77b8d8450dd336f4ffa0f575b0467a0e64e21c307e982f7cd3fd98e9acd58fc840591bc286484a0cd2ad3e3456fa0c1b52d28130809636e16722cd3d843b0f133cd1feb73d1bf1d7dda2f943de059ed33c9b7f8be894f68d4c187232f787be896ca8ac58ef2e3ba68be19ebb31244ba5fc9bcc97e76ba17ffb52a7692ee770aa6656a493b5db","USERNAME":"gizemdeneme3@mailinator.com"},"AuthFlow":"USER_SRP_AUTH","ClientId":"5700sa3b7co05vfdvo4abn81v2"}

Response body:
{"__type":"InvalidParameterException","message":"Invalid input given"}
The operation couldn’t be completed. (AWSMobileClient.AWSMobileClientError error 8.)

[wooj2]

@karasahinemre

I tried very hard to reproduce the issue you are seeing, but I have not had any luck in seeing the InvalidParameterException you are seeing. Instead, I am getting the expected “PasswordResetRequiredException”. Some of the things I’ve tried:

• Different versions our the sdk
• Importing a csv with and without custom fields (exactly the fields you have)
• Two different regions: us-west-2 & eu-west-1

When looking at the error, the InvalidParameterException is coming directly from AWSCognitoIdentityProviderService, so I suspect that the error is most likely due to some sort of configuration that is setup in your user pool. Are there any customizations you are using in your Cognito user pool? Can you give us a bit more information in how the user pool was setup/configured? Are you using custom auth? Federation? etc..

That being said, I believe that our error message is not very helpful to customers, as you have experienced, and I believe we can do better in this regard. This is considered to be a feature request and will need to be prioritized by our product team. Thinking out loud, the proposed change could be to update the message returned by InvalidParameterExceptions so that it would include a helpful message to help users figure out what parameter is invalid and/or missing, versus what we are showing now: "Invalid input given”

[karasahinemre]

@wooj2

You can see our customizations from below. I scrub out sensitive info like App Client name.

Allowed OAuth Flow: Implicit grant

[wooj2]

@karasahinemre -
Thank you so much for taking the time to post screenshots (and scrubbing out data) so we can see the configuration! Because of your hard work, I believe I have been able to reproduce the issue you are seeing. :)

It looks like when Prevent User Existence Errors is set to Legacy, I get the expected PasswordResetRequiredException error, and when the value is set to Enabled (Recommended), I receive the error you reported: InvalidParameterException. Unfortunately, I am not sure why this is, as I do not have intimate knowledge of the Cognito backend service.

I have opened an internal ticket with the Cognito Service team, with all of the details we have discovered and will update this issue as soon as I know more.

Thank you for your patience!

[karasahinemre]

@wooj2
I'm glad you can reproduce the error. I'm waiting for your good news :)

[karasahinemre]

Hi, any updates?

[wooj2]

@karasahinemre - sorry for the delay.

There seems to be a confirmed change of behavior in the backend. Typically this would be a quick fix, but the change seems to be in conflict with some other bigger items that need to go through some formal channels of approval. Unfortunately, I don't have a clear timeline as to when this will get fixed, but again, really appreciate all the hard work your did in helping us reproduce this bug. When I get more information on when we can expect a fix, and what that fix will look like, I'll post that information back here. Thank you for your patience!

[wooj2]

@karasahinemre
Thank you so much for your patience! The service team has deployed a fix. It's not exactly what I was expecting because the first response returns a challengeName w/ a value of "PASSWORD_VERIFIER", but I suspect this is sufficient because as a result of responding to this response, we can eventually get the expected PasswordResetRequiredException

Here's what I'm seeing based on attempting to call signIn with a username and valid password corresponding to an account that is in a RESET_REQUIRED state.

Request:

{
    "Content-Type" = "application/x-amz-json-1.1";
    Host = "cognito-idp.us-west-2.amazonaws.com";
    "User-Agent" = "aws-sdk-iOS/2.13.1 iOS/13.3 en_US aws-amplify/cli";
    "X-Amz-Date" = 20200403T194035Z;
    "X-Amz-Target" = "AWSCognitoIdentityProviderService.InitiateAuth";
}

Then:

Response headers:
{
    "Content-Length" = 2667;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Fri, 03 Apr 2020 19:40:35 GMT";
    "x-amzn-requestid" = "-------------------------";
}
Response body:
{"ChallengeName":"PASSWORD_VERIFIER","ChallengeParameters"......

As a result of this response, we send another request:

Request headers:
{
    "Content-Type" = "application/x-amz-json-1.1";
    Host = "cognito-idp.us-west-2.amazonaws.com";
    "User-Agent" = "aws-sdk-iOS/2.13.1 iOS/13.3 en_US aws-amplify/cli";
    "X-Amz-Date" = 20200403T194035Z;
    "X-Amz-Target" = "AWSCognitoIdentityProviderService.RespondToAuthChallenge";
}
Request body:
{"UserContextData":....

And as a result of this request, we see the expected password reset required for the user:

Response headers:
{
    "Content-Length" = 92;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Fri, 03 Apr 2020 19:40:35 GMT";
    "x-amzn-errormessage" = "Password reset required for the user";
    "x-amzn-errortype" = "PasswordResetRequiredException:";
    "x-amzn-requestid" = "------------------------";
}
Response body:
{"__type":"PasswordResetRequiredException","message":"Password reset required for the user"}

[karasahinemre]

Hi,

I tried with same configuration but it still gives invalidParameter. Then I updated my SDK version to 2.13.1 but result is not changed.

First try:

Request headers:
{
    "Content-Type" = "application/x-amz-json-1.1";
    Host = "cognito-idp.eu-west-1.amazonaws.com";
    "User-Agent" = "aws-sdk-iOS/2.13.1 iOS/13.4 en MobileHub/1.0";
    "X-Amz-Date" = 20200404T104435Z;
    "X-Amz-Target" = "AWSCognitoIdentityProviderService.InitiateAuth";
}
2020-04-04 13:44:35:400 Drive Green[20347:1450134] Request body:
{"UserContextData"...

Response headers:

{
    "Content-Length" = 70;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Sat, 04 Apr 2020 10:44:57 GMT";
    "x-amzn-errormessage" = "Invalid input given";
    "x-amzn-errortype" = "InvalidParameterException:";
    "x-amzn-requestid" = "bebdae4e-5e8d-4ad5-b00a-07131e9f6b5e";
}
2020-04-04 13:44:35:831 Drive Green[20347:1450362] Response body:
{"__type":"InvalidParameterException","message":"Invalid input given"}

Second try:

Request headers:
{
    "Content-Type" = "application/x-amz-json-1.1";
    Host = "cognito-idp.eu-west-1.amazonaws.com";
    "User-Agent" = "aws-sdk-iOS/2.13.1 iOS/13.4 en MobileHub/1.0";
    "X-Amz-Date" = 20200404T104746Z;
    "X-Amz-Target" = "AWSCognitoIdentityProviderService.InitiateAuth";
}

Response headers:
{
    "Content-Length" = 70;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Sat, 04 Apr 2020 10:48:08 GMT";
    "x-amzn-errormessage" = "Invalid input given";
    "x-amzn-errortype" = "InvalidParameterException:";
    "x-amzn-requestid" = "f1079d1d-fe8c-4c9c-93fd-a2efe224bd8e";
}
2020-04-04 13:47:46:588 Drive Green[20347:1452986] Response body:
{"__type":"InvalidParameterException","message":"Invalid input given"}

Am I missing something?

[wooj2]

Hey @karasahinemre

Thank you for quickly trying to validate the fix. Just as an FYI, I wouldn’t expect that the SDK version to change anything given that this is clearly a server side issue.

In full transparency, here’s what happened:
I have an internal ticket against the Cognito team that was set to a “resolved” state as of 48 hours ago. After noticing this, I re-tested and posted my results (as shown above). Soon after I posted my results, and told you that the server team deployed a fix, surprisingly internal ticket was re-opened by the service team and they are claiming that there’s still work to be done. :( This has caused me some confusion, and clearly it has caused you some confusion, and I’m sorry for that.

As to why my results are different than yours — honestly, I’m not sure. I first suspected it was a difference between us-west-2 and eu-west-1, but I just re-tested in eu-west-1 and I’m seeing the same results that I previously posted. One difference I see in our requests is that your user agent says MobileHub. Another difference (might be) is that I’m using the drop-in UI that comes with AWSMobileClient ( https://aws-amplify.github.io/docs/ios/authentication - the optional pod that is pointed out as AWSAuthUI). Not sure if these would really make a difference since we’re both sending the InitiateAuth call, but in any case, it seems to be a backend issue, and will need to work with our backend engineers to figure out what’s going on.

At this point I will follow up with the backend developer who is responsible for making this change and see if they can investigate as to why you are continuing to see “InvalidParameterException:
invalid input given". I will pass-over the requestId to see if they can get a clear answer as to what is happening.

Thanks your your patience and sorry for the confusion that this has caused.

[karasahinemre]

Hi,

Any updates?

[ericcartmangogogo]

Hi,

Any updates?

Hello Emre,

This is Eric from AWS, I made the fix recently. Currently it's in code review and it will be merged today. I should be able to give you an update on the estimation deployment date pretty soon

Thank you for finding this bug

[GabrielAraujo]

Hey Guys,

Any update on this?

I'm using the amazon-cognito-identity-js library and facing this issue (As mentioned here).

@ericcartmangogogo will the fix work on all sdks trying to authenticate users with the RESET_REQUIRED status?

[karasahinemre]

Hi,

Any updates?

[GabrielAraujo]

Create a python script and use the cognito admin api to import users instead.

[norahsakal]

Hi,
Any updates on this bug? I'm facing the exact same issue.
Thanks!

[wooj2]

@karasahinemre
As of 9/1/2020 (and re-testing 10/16/2020), we have verified (by looking at logs and executing sample applications) that PasswordResetRequiredException is be returned whether or not Prevent User Existence Errors is enabled or disabled. Getting this response back the callback should allow you to present the type of UX needed to help your customers get out of a RESET_REQUIRED state. I am resolving this ticket, as I believe we have resolved this issue.

@GabrielAraujo
I don't want to speak on behalf of all platforms, but the changes that happened were purely server side. Assuming all platforms work similarly (and there aren't any additional bugs), the behavior should be the same across all platforms. If you do receive errors on a specific platform, please open a ticket directly against that SDK's platform

@norahsakal
I noticed that you commented on a ticket on 9/7/2020 reporting that you are experiencing the same issue, but, I re-tested on 10/16/2020, which makes me think that you are running into a related, but slightly different issue. Could you please open a separate ticket so we can investigate further?

[royjit]

Apologies for the confusion regarding the error message returned. The error message produced by the service depends on the configuration and the present state of the user. The following are the different scenarios:

1. CSV imported user with no password (Prevent User Existence Errors Enabled):
   a. NotAuthorizedException
2. Reset password for a previously confirmed user (Prevent User Existence Errors Enabled):
   a. When using previously correct password: PasswordResetRequiredException
   b. When using wrong password: NotAuthorizedException
3. CSV imported user with no password (Prevent User Existence Errors Disabled):
   a. PasswordResetRequiredException
4. Reset password for a previously confirmed user (Prevent User Existence Errors Disabled):
   a. When using previously correct password: PasswordResetRequiredException
   b. When using wrong password: PasswordResetRequiredException

A user can enter a RESET_REQUIRED state upon initial CSV import (cases 1 and 3) or a password reset on a confirmed user (cases 2 and 4). The only time where a PasswordResetRequiredException is thrown when PreventUserExistenceErrors is Enabled, is 2a.