-
Notifications
You must be signed in to change notification settings - Fork 879
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Imported User (RESET_REQUIRED) throws InvalidParameterException on signIn #2298
Comments
@karasahinemre - thanks for taking the time to report this. Can you please provide us a sample .csv file (without any sensitive data) so we can try and reproduce this issue? Thank you |
Hello you can find example csv file from below. |
@karasahinemre - Sorry for the delay. I've looked into this issue, and I think it is a misunderstanding our APIs. It is actually expected behavior that the Cognito Service returns an error (which then returns an error in the SDK) in the event that you are calling
The Forgot Password UI flow involves first calling:
(Successful completion of this call should send a one time password/confirmation code to the user) and then:
More information can be found here: On a side note, I also noticed that you are using a slightly outdated version of our SDK. We always recommend upgrading to our latest version 2.12.7 if possible. Hope this helps and best of luck. I am optimistically closing this ticket, but if you have further problems, feel free to re-open. |
I think you misunderstood me. I know the flow. SDK has to be return passwordResetRequired but it returns invalidParameter instead. This issue already exists in Android and JS SDK too. aws-amplify/amplify-js#4516 --> JS |
Oops, so sorry I misunderstood you, and thanks for your patience! Unfortunately, I am unable to reproduce the "InvalidParameterException". Is it possible to turn on additional logging to further debug this issue? You can add the following to your app delegate to turn on debug logging, for example:
Then attempt to sign in and capture the request headers and response header & body? (Note that the request body would be nice to see, but might be too much work to scrub out any sensitive data) For example, in attempting to reproduce your issue, my request headers look like this:
And my response header/body look like:
|
This user imported via provided .csv file and has no password. Headers
Body
|
I tried very hard to reproduce the issue you are seeing, but I have not had any luck in seeing the InvalidParameterException you are seeing. Instead, I am getting the expected “PasswordResetRequiredException”. Some of the things I’ve tried:
When looking at the error, the InvalidParameterException is coming directly from AWSCognitoIdentityProviderService, so I suspect that the error is most likely due to some sort of configuration that is setup in your user pool. Are there any customizations you are using in your Cognito user pool? Can you give us a bit more information in how the user pool was setup/configured? Are you using custom auth? Federation? etc.. That being said, I believe that our error message is not very helpful to customers, as you have experienced, and I believe we can do better in this regard. This is considered to be a feature request and will need to be prioritized by our product team. Thinking out loud, the proposed change could be to update the message returned by |
You can see our customizations from below. I scrub out sensitive info like App Client name. Allowed OAuth Flow: Implicit grant |
@karasahinemre - It looks like when I have opened an internal ticket with the Cognito Service team, with all of the details we have discovered and will update this issue as soon as I know more. Thank you for your patience! |
@wooj2 |
Hi, any updates? |
@karasahinemre - sorry for the delay. There seems to be a confirmed change of behavior in the backend. Typically this would be a quick fix, but the change seems to be in conflict with some other bigger items that need to go through some formal channels of approval. Unfortunately, I don't have a clear timeline as to when this will get fixed, but again, really appreciate all the hard work your did in helping us reproduce this bug. When I get more information on when we can expect a fix, and what that fix will look like, I'll post that information back here. Thank you for your patience! |
@karasahinemre Here's what I'm seeing based on attempting to call Request:
Then:
As a result of this response, we send another request:
And as a result of this request, we see the expected password reset required for the user:
|
Hi, I tried with same configuration but it still gives invalidParameter. Then I updated my SDK version to 2.13.1 but result is not changed. First try:
Response headers:
Second try:
Am I missing something? |
Hey @karasahinemre Thank you for quickly trying to validate the fix. Just as an FYI, I wouldn’t expect that the SDK version to change anything given that this is clearly a server side issue. In full transparency, here’s what happened: As to why my results are different than yours — honestly, I’m not sure. I first suspected it was a difference between us-west-2 and eu-west-1, but I just re-tested in eu-west-1 and I’m seeing the same results that I previously posted. One difference I see in our requests is that your user agent says MobileHub. Another difference (might be) is that I’m using the drop-in UI that comes with AWSMobileClient ( https://aws-amplify.github.io/docs/ios/authentication - the optional pod that is pointed out as AWSAuthUI). Not sure if these would really make a difference since we’re both sending the InitiateAuth call, but in any case, it seems to be a backend issue, and will need to work with our backend engineers to figure out what’s going on. At this point I will follow up with the backend developer who is responsible for making this change and see if they can investigate as to why you are continuing to see “InvalidParameterException: Thanks your your patience and sorry for the confusion that this has caused. |
Hi, Any updates? |
Hello Emre, This is Eric from AWS, I made the fix recently. Currently it's in code review and it will be merged today. I should be able to give you an update on the estimation deployment date pretty soon Thank you for finding this bug |
Hey Guys, Any update on this? I'm using the amazon-cognito-identity-js library and facing this issue (As mentioned here). @ericcartmangogogo will the fix work on all sdks trying to authenticate users with the |
Hi, Any updates? |
Create a python script and use the cognito admin api to import users instead. |
Hi, |
@karasahinemre @GabrielAraujo @norahsakal |
Apologies for the confusion regarding the error message returned. The error message produced by the service depends on the configuration and the present state of the user. The following are the different scenarios:
A user can enter a RESET_REQUIRED state upon initial CSV import (cases 1 and 3) or a password reset on a confirmed user (cases 2 and 4). The only time where a PasswordResetRequiredException is thrown when PreventUserExistenceErrors is Enabled, is 2a. |
Describe the bug
Imported User (RESET_REQUIRED) throws InvalidParameterException on AWSMobileClient.default().signIn(username: email, password: password)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
It should be passwordResetRequired exception
Environment(please complete the following information):
Device Information:
The text was updated successfully, but these errors were encountered: