How to verify user attributes as an admin?

[guanzo]

For context: When a user signs up, my lamba function customizes the confirmation email with a link to my own server, and sends all parameters available in the lambda function as query params. This server calls Cognito's ConfirmSignup method through boto3. My server is authenticated with AWS keys, so the api call succeeds.

Now, I want to allow a user to update their email address. I was hoping to reuse this lambda function, since all it does is confirm an email address. However, the parameters for Cognito's UpdateUserAttributes method only accepts an AccessToken. AFAIK, the only way to get this access token is through client side javascript. My server doesn't have access to an AccessToken, it only has access to the parameters that are available in the lambda function.

How do I use my AWS keys to verify a user attribute?

[haverchuck]

@guanzo - I do not believe this is possible at this time, but I am going to mark it as a feature request.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[apolat2000]

I am also very interested in this. Any follow-ups possible?

[nadetastic]

Hi @apolat2000 @guanzo, have you had a chance to look at the AdminUpdateUserAttributes API method provided by cognito? It takes in the username as an attribute.

[nadetastic]

Following up here - I'm going to close out this issue, as you should be able to use the AdminUpdateUserAttribute API method to update a users attribute without the need to use an AccessToken

Thanks~

[TLeitzbach]

@nadetastic sorry for asking this here since the issue is closed: If the issue is about verifying the attribute AdminUpdateUserAttribute will not do that if the user pool is set up to confirm changes to e.g. the user email or am I wrong? I believe in this case you would require an AccessToken to call verify_user_attribute in any case?

[nadetastic]

Hi @TLeitzbach, if your user pool requires verification before Amazon Cognito updates an attribute that you specify with AdminUpdateUserAttribute, the attribute will not be immediately updated. The user will receive a verification message and after responding, the attribute will be updated.

• Note that the user can sign in/user and receive messages with the original attribute value until the new one is verified.

You can also update the value of an attribute that requires verification in the same AdminUpdateUserAttribute request by including the email_verified or phone_number_verified attribute, with a value of true.

• Please note that if email or phone_number attribute requires verification and you set the email_verified or phone_number_verified to true, Amazon Cognito doesn’t send a verification message to your user.

Documentation reference: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html#CognitoUserPools-AdminUpdateUserAttributes-request-UserAttributes

[TLeitzbach]

@nadetastic Thank you for your detailed reply! The first case is exactly the one which I wanted to point out. If you use a custom email sender then you would either have to use verify_user_attribute with an AccessToken subsequently or use AdminUpdateUserAttribute with both the new email and email_verified set. Since sending only email_verified would verify the old email again. Now, this latter case would trigger yet another challenge to the user if you do not catch it in your custom email sender.