Skip to content
This repository has been archived by the owner on Nov 5, 2024. It is now read-only.

AWS Cognito UserMFASettingList field of AdminGetUserResponse is empty #693

Closed
lgolubenkobit opened this issue Jan 31, 2024 · 6 comments
Closed

AWS Cognito UserMFASettingList field of AdminGetUserResponse is empty #693

lgolubenkobit opened this issue Jan 31, 2024 · 6 comments
Assignees
@debora-ito
Labels
bug Something isn't working cognito service-api This issue pertains to the AWS API

Comments

@lgolubenkobit
Copy link

Describe the bug

I have the same problem described here, not only with MFASettingList, also with mfaOptions and preferredMfaSetting
StackOverflow

After login on hosted UI, i've configured TOTP App as 2FA, but when invoke, by sdk, adminGetUser or getUser,
attributes are null or empty

Expected Behavior

Return preferred MFA and available options

Current Behavior

Attributes are null or empty
MFASettingList: []
mfaOptions: []
preferredMfaSetting: null

Reproduction Steps

Login on hosted UI and configure 2FA,
Invoke adminUserInfo vía SDK.

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.21.12

JDK version used

Java 8

Operating System and version

KDE Plasma
@lgolubenkobit lgolubenkobit added bug Something isn't working needs-triage labels Jan 31, 2024
@debora-ito
Copy link
Member

@lgolubenkobit I'll need more information in order to help you out.

  • Can you please provide a code sample I can use to reproduce the issue?
  • Are you able to reproduce in a local environment? If so, can you enable the verbose wirelogs and share the response of a AdminGetUser call? Please make sure to redact any sensitive information, like access keys.

According to the API Reference, mfaOptions is no longer supported, so this field won't return values.

@debora-ito debora-ito added response-requested This issue requires a response to continue and removed needs-triage labels Feb 1, 2024
@debora-ito debora-ito self-assigned this Feb 1, 2024
@lgolubenkobit
Copy link
Author

lgolubenkobit commented Feb 1, 2024
edited
Loading

When invoke this function is expected that returns which method choose user or available options enabled in pool

   public AdminGetUserResponse getUserByUuid(String userSub) {
        AdminGetUserRequest adminGetUserRequest = AdminGetUserRequest.builder()
                .userPoolId(cognitoPoolId)
                .username(userSub)
                .build();

        return cognitoClient.adminGetUser(adminGetUserRequest);
    }

but after invoke

System.err.println("*********************************************************************************************");
AdminGetUserResponse response = cognitoUtil.getUserByUuid("");
System.err.println("*********************************************************************************************");
for (AttributeType a : response.userAttributes()) {
	System.err.println(a.name() + " " + a.value());
}
System.err.println();
System.err.println("response: " + response);
System.err.println();
System.err.println("userStatusAsString: " + response.userStatusAsString());
System.err.println("hasMFASettingList: " + response.hasUserMFASettingList());
System.err.println("MFASettingList: " + response.userMFASettingList());
System.err.println("hasMfaOptions: " + response.hasMfaOptions());
System.err.println("mfaOptions: " + response.mfaOptions());
System.err.println("preferredMfaSetting: " + response.preferredMfaSetting());
System.err.println();
			System.err.println("*********************************************************************************************");

this is the response

*********************************************************************************************
2024-02-02 11:32:27.513 DEBUG 414547 --- [           main] s.a.a.c.i.ExecutionInterceptorChain      : Creating an interceptor chain that will apply interceptors in the following order: [software.amazon.awssdk.core.internal.interceptor.HttpChecksumValidationInterceptor@302ab67e, software.amazon.awssdk.awscore.interceptor.HelpfulUnknownHostExceptionInterceptor@28058dd0, software.amazon.awssdk.awscore.eventstream.EventStreamInitialRequestInterceptor@735d1db7, software.amazon.awssdk.awscore.interceptor.TraceIdExecutionInterceptor@4040559d, software.amazon.awssdk.services.cognitoidentityprovider.endpoints.internal.CognitoIdentityProviderResolveEndpointInterceptor@253c82ad, software.amazon.awssdk.services.cognitoidentityprovider.endpoints.internal.CognitoIdentityProviderRequestSetEndpointInterceptor@2153f0d7]
2024-02-02 11:32:27.848 DEBUG 414547 --- [           main] s.a.a.c.i.ExecutionInterceptorChain      : Interceptor 'software.amazon.awssdk.services.cognitoidentityprovider.endpoints.internal.CognitoIdentityProviderRequestSetEndpointInterceptor@2153f0d7' modified the message with its modifyHttpRequest method.
2024-02-02 11:32:27.992 DEBUG 414547 --- [           main] software.amazon.awssdk.request           : Sending Request: DefaultSdkHttpFullRequest(httpMethod=POST, protocol=https, host=cognito-idp.us-east-1.amazonaws.com, encodedPath=/, headers=[amz-sdk-invocation-id, Content-Length, Content-Type, User-Agent, X-Amz-Target], queryParameters=[])
2024-02-02 11:32:28.009 DEBUG 414547 --- [           main] s.a.a.c.i.io.SdkLengthAwareInputStream   : Specified InputStream length of 86 has been reached. Returning EOF.
2024-02-02 11:32:28.049 DEBUG 414547 --- [           main] s.amazon.awssdk.auth.signer.Aws4Signer   : AWS4 Canonical Request: POST
/

amz-sdk-invocation-id: ********
amz-sdk-request:attempt=1; max=4
content-length:86
content-type:application/x-amz-json-1.1
host:cognito-idp.us-east-1.amazonaws.com
x-amz-date:20240202T143228Z
x-amz-target:AWSCognitoIdentityProviderService.AdminGetUser

amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target
********
2024-02-02 11:32:28.063 DEBUG 414547 --- [           main] s.amazon.awssdk.auth.signer.Aws4Signer   : AWS4 String to sign: *******
20240202T143228Z
20240202/us-east-1/cognito-idp/aws4_request
*******
2024-02-02 11:32:28.401 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Connecting socket to cognito-idp.us-east-1.amazonaws.com/54.166.64.53:443 with timeout 2000
2024-02-02 11:32:28.776 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Enabled protocols: [TLSv1.3, TLSv1.2]
2024-02-02 11:32:28.777 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2024-02-02 11:32:28.779 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : socket.getSupportedProtocols(): [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello], socket.getEnabledProtocols(): [TLSv1.3, TLSv1.2]
2024-02-02 11:32:28.782 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Starting handshake
2024-02-02 11:32:29.784 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Secure session established
2024-02-02 11:32:29.785 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  negotiated protocol: TLSv1.2
2024-02-02 11:32:29.786 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2024-02-02 11:32:29.787 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  peer principal: CN=cognito-idp.us-east-1.amazonaws.com
2024-02-02 11:32:29.788 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  peer alternative names: [cognito-idp.us-east-1.amazonaws.com, cognito-idp-fips.us-east-1.amazonaws.com]
2024-02-02 11:32:29.788 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  issuer principal: CN=Amazon RSA 2048 M02, O=Amazon, C=US
2024-02-02 11:32:29.795 DEBUG 414547 --- [           main] s.a.a.h.a.internal.net.SdkSslSocket      : created: cognito-idp.us-east-1.amazonaws.com/54.166.64.53:443
2024-02-02 11:32:30.118 DEBUG 414547 --- [           main] software.amazon.awssdk.requestId         : Received successful response: 200, Request ID: *******, Extended Request ID: not available
2024-02-02 11:32:30.120 DEBUG 414547 --- [           main] software.amazon.awssdk.request           : Received successful response: 200, Request ID: *******, Extended Request ID: not available
*********************************************************************************************
sub *******
address *******
birthdate 01/01/1970
email_verified true
gender Femenino
name *****
phone_number_verified true
phone_number ********
family_name *********
email *******

response: AdminGetUserResponse(Username=*** Sensitive Data Redacted ***, UserAttributes=[AttributeType(Name=sub, Value=*** Sensitive Data Redacted ***), AttributeType(Name=address, Value=*** Sensitive Data Redacted ***), AttributeType(Name=birthdate, Value=*** Sensitive Data Redacted ***), AttributeType(Name=email_verified, Value=*** Sensitive Data Redacted ***), AttributeType(Name=gender, Value=*** Sensitive Data Redacted ***), AttributeType(Name=name, Value=*** Sensitive Data Redacted ***), AttributeType(Name=phone_number_verified, Value=*** Sensitive Data Redacted ***), AttributeType(Name=phone_number, Value=*** Sensitive Data Redacted ***), AttributeType(Name=family_name, Value=*** Sensitive Data Redacted ***), AttributeType(Name=email, Value=*** Sensitive Data Redacted ***)], UserCreateDate=2024-01-22T19:43:23.504Z, UserLastModifiedDate=2024-01-23T18:30:25.532Z, Enabled=true, UserStatus=CONFIRMED, MFAOptions=[MFAOptionType(DeliveryMedium=SMS, AttributeName=phone_number)])

userStatusAsString: CONFIRMED
hasMFASettingList: false
MFASettingList: []
hasMfaOptions: true
mfaOptions: [MFAOptionType(DeliveryMedium=SMS, AttributeName=phone_number)]
preferredMfaSetting: null

*********************************************************************************************

Both options are enabled on pool, and SMS is used by the user
image

I know that, according to documentation, mfaOptions is deprecated, but others fileld must return value according what factor choose user after first login.

@github-actions github-actions bot removed the response-requested This issue requires a response to continue label Feb 1, 2024
@debora-ito
Copy link
Member

debora-ito commented Feb 5, 2024
edited
Loading

@lgolubenkobit thank you for the additional logs.

The observations in the StackOverflow answer make sense. Looking at the logs you provided, the 'UserMFASettingList' and 'PreferredMfaSetting' are not part of the AdminGetUser response initially:

response: AdminGetUserResponse(
    Username=*** Sensitive Data Redacted ***, 
    UserAttributes=[...], 
    UserCreateDate=2024-01-22T19:43:23.504Z, 
    UserLastModifiedDate=2024-01-23T18:30:25.532Z, 
    Enabled=true, 
    UserStatus=CONFIRMED, 
    MFAOptions=[MFAOptionType(DeliveryMedium=SMS, AttributeName=phone_number)]
)

but they will get populated after calling AdminSetUserMfaPreference.

I'll reach out to the Cognito team to comment on this behavior, to confirm if it's expected. If it is, I'll ask to make it clear in the AdminGetUser API Reference.

I'll also transfer this issue to the central aws/aws-sdk repo, since it's a service side issue with cross-SDK impact.

@debora-ito debora-ito transferred this issue from aws/aws-sdk-java-v2 Feb 5, 2024
@debora-ito debora-ito added service-api This issue pertains to the AWS API cognito labels Feb 5, 2024
@debora-ito
Copy link
Member

P116943917

@debora-ito
Copy link
Member

@lgolubenkobit The Cognito team confirmed the behavior is expected.

As for my ask to clarify in the documentation, they said they don't see the confusion. But I'll push back on that.

I'll go ahead and close this, as there's nothing else pending from the SDK team. Feel free to reach out if you have any other question.

@github-actions GitHub Actions
Copy link

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@debora-ito debora-ito

Labels
bug Something isn't working cognito service-api This issue pertains to the AWS API
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@debora-ito @lgolubenkobit