Cognito sign-up experience with passwordless

aws-samples / amazon-cognito-passwordless-auth

Passwordless authentication with Amazon Cognito: FIDO2 (WebAuthn, support for Passkeys), Magic Link, SMS OTP Step Up

Apache License 2.0

382 stars 70 forks source link

Cognito sign-up experience with passwordless #194

Closed mdesousa closed 1 month ago

mdesousa commented 2 months ago

Hi, wondering if there is any advice on how to setup the sign-up experience with cognito when we intend to implement the passwordless sign-in. Some issues that we are running into:

cognito really wants a password for each user, even if they won't use it. when we create a user with AdminCreateUser, the user is left in a FORCE_CHANGE_PASSWORD state which blocks other things. we had to update the user immediate after being created with a permanent password (AdminSetUserPassword) to switch it to CONFIRMED. is this the best approach?
our application does not have a web frontend, but we are trying to allow users to verify their email with a code. there is a VerifyUserAttribute for this... but don't seen an equivalent AdminVerifyUserAttribute that can be invoked in the backend (without an access token). any suggestions on how to handle this?

thanks for any help!

ottokruse commented 2 months ago

the user is left in a FORCE_CHANGE_PASSWORD state which blocks other things

What does that block actually? Honest question. As far as I know that state is a fine state to be in and does not prevent signing in with custom auth flows.

mdesousa commented 2 months ago

good question! it was giving us an error while trying to confirm the user. our goal was to verify the user's email and phone, and recently changed our code to use VerifyUserAttribute instead. just tested this function with a user in FORCE_CHANGE_PASSWORD and didn't face any issues. so maybe we'll leave users in that state instead of forcing a permanent password... thanks for the reply!

mdesousa commented 1 month ago

another related issue: when we try to sign-up in the front end, the cognito SignUp API requires a password... without it we get a 1 validation error detected: Value at 'password' failed to satisfy constraint: Member must not be null

just wondering how people typically deal with this... you wouldn't need it with passwordless sign-in. thanks!

ottokruse commented 1 month ago

Afraid the answers is pretty pragmatic and you've considered this no doubt: generate a random password, eg on the frontend side where you call the signup API from. May be as simple as using a uuid4 (depending on password policy though). If you don't allow SRP / username password login on any of your user pool app clients, users cannot sign in with a password (even if they would know the randomly generated one).

mdesousa commented 1 month ago

thanks @ottokruse ! i found an example in #92 which was useful, and for random password generation this is a good library that is easy to configure to match the password policy.