ChangePasswordAsync fails for certain User Pools

[genifycom]

I have been testing with Amazon.AspNetCore.Identity.Cognito and Amazon.Extensions.CognitoAuthentication in a DotNet Core 3.1 Lambda Web Application.

If I create a Cognito User Pool using "Username - Users can use a username and optionally multiple alternatives to sign up and sign in." then the ChangePasswordAsync succeeds in changing the password.

However, if I choose "Email address or phone number - Users can use an email address or phone number as their "username" to sign up and sign in.", and "Allow email addresses" then:

var user = await _userManager.FindByEmailAsync(Input.Email);

succeeds and find the correct user, but the:

var result = await _userManager.ChangePasswordAsync(user, Input.CurrentPassword, Input.NewPassword);

always fails with PasswordMismatch

The current password is correct and the new password conforms to the rules.

I would like to use email as the username.

In addition, it I set the password manually using aws cognito-idp admin-set-user-password then the

var result = await _signInManager.PasswordSignInAsync(Input.UserName, Input.Password, Input.RememberMe, lockoutOnFailure: false);

fails with invalid login attempt. I have tried with both the email and the sub for the user but no go.

Has anyone else seen this issue?

[ashishdhingra]

Transferring this issue to https://github.com/aws/aws-aspnet-cognito-identity-provider

[ashishdhingra]

Hi @genifycom,

Good morning.

Thanks for reporting the issue.

In order to effectively reproduce this issue, please share the following:

• Cognito User Pool settings in AWS Console.
• Sample code solution, if possible.
• Does this work if you execute the flow within Console application or is it the issue from within Lambda only?
• Lambda web application settings.
• NuGet package versions.
• .NET Core version

In the meanwhile, I will try to do some analysis at my end.

Thanks, Ashish

[genifycom]

On Nuget packages first, I have to use:

`

`

because updating to the Amazon.Extensions.CognitoAuthentication 2.0.0 version causes a conflict

Restoring packages for C:\Dev...\MyApp.csproj... NU1107: Version conflict detected for AWSSDK.Core. Install/reference AWSSDK.Core 3.5.1 directly to project BVCognito to resolve this issue. MyApp -> Amazon.Extensions.CognitoAuthentication 2.0.0 -> AWSSDK.CognitoIdentityProvider 3.5.0.2 -> AWSSDK.Core (>= 3.5.1 && < 3.6.0) MyApp -> Amazon.AspNetCore.Identity.Cognito 1.0.5 -> AWSSDK.Extensions.NETCore.Setup 3.3.100.1 -> AWSSDK.Core (>= 3.3.100 && < 3.4.0). Package restore failed. Rolling back package changes for 'MyApp'.

[ashishdhingra]

Hi @genifycom,

Good morning.

I have tried to reproduce the issue reported by you using the sample solution provided in the repository https://github.com/aws/aws-aspnet-cognito-identity-provider/tree/master/samples. Using (upgrading) the mentioned NuGet package versions, the ChangePassword scenario works fine. The user pool has been configured with:

• Email address or phone number to sign in
• AppClient has all the Auth Flow(s) enabled.

I'm not sure what to suggest since the issue is not reproducible. Is it possible to share the sample code solution, and all of you user pool and app client settings in AWS Cognito console?

Thanks, Ashish

[genifycom]

Hi Ashish,

I have the sample project created and tested and it continues to get a password mismatch.

How can I dump the Cognito User Pool settings? Screen shots of each of the pages?

Also the project obviously contains my keys so how do I get this to you in a testable state, just xxx out the private information?

Please advise.

Thanks< Dave

[ashishdhingra]

Hi @genifycom,

You may want to exclude the sensitive information from your code, including keys, and share the minimal code to reproduce the issue. For Cognito user pool settings, you may list down the high level information (screenshots are preferable though).

Thanks, Ashish

[genifycom]

Sure. Starting with the User Pool. I tried to pick the minimal requirements just using email.

[genifycom]

Then I create a user with:

aws cognito-idp admin-create-user --user-pool-id --username --user-attributes Name=given_name,Value=XXX Name=family_name,Value=YYY Name=email,Value= --temporary-password Test1_Test2

Running the app, the initial Login using email and the temporary password works fine and I see

This then flips me over to the ChangePassword screen. I use the email, Test1_Test2 as the current password (the temporary one) and the new password AltTest_1199

Here, the: var user = await _userManager.FindByEmailAsync(Input.Email); works and returns the user. But the next part var result = await _userManager.ChangePasswordAsync(user, Input.CurrentPassword, Input.NewPassword); fails like this

[genifycom]

This project uses the Identity Area from the Cognito samples project. AWSCognitoTest.zip

[ashishdhingra]

Hi @genifycom,

I will try to reproduce the issue with the user pool settings you provided, I guess these are similar to one I used earlier (and the change password flow worked fine for me), but would give it one more try.

Thanks, Ashish

[genifycom]

Ok thank you. I have tried this multiple times as I really do not want to have to use username.

[ashishdhingra]

Hi @genifycom,

I tried using your sample code and the change password flow works fine for me (please refer screenshot below):

NOTE: I used the appsettings.Development.json as shown below, instead of hardcoding the Cognito IDP values in code:

{
  "AWS": {
    "Region": "<region>",
    "UserPoolClientId": "<userpool_clientid>",
    "UserPoolClientSecret": "<userpool_clientsecret>",
    "UserPoolId": "<userpool_id>"
  }
}

Hence, I commented the below code (except services.AddCognitoIdentity() call):

//#region Cognito
//var cognitoIdentityProvider = new AmazonCognitoIdentityProviderClient(aws_access_key, aws_secret_key, USWest2);
//var cognitoUserPool = new CognitoUserPool(PFAdminUsersPoolId, PFAdminUsersClientId, cognitoIdentityProvider);

////https://github.com/aws/aws-aspnet-cognito-identity-provider
//// Adds your own instance of Amazon Cognito clients cognitoIdentityProvider and cognitoUserPool are variables you would have instantiated yourself
//services.AddSingleton<IAmazonCognitoIdentityProvider>(cognitoIdentityProvider);
//services.AddSingleton<CognitoUserPool>(cognitoUserPool);

// Adds Amazon Cognito as Identity Provider
//https://aws.amazon.com/blogs/developer/now-generally-available-the-asp-net-core-identity-provider-for-amazon-cognito/
services.AddCognitoIdentity();
//#endregion Cognito

I do notice that you are not using client secret for you user pool app client.

Here are my app client settings (you may compare the settings at your end):

The error in your screenshot indicates the incorrect password. I'm not sure if you are typing the correct password in the change password flow. Everything works fine at my end. I'm not sure what further guidance could be provided here.

Thanks, Ashish

[genifycom]

Ok, I will try two things. 1. a region other then us-west-2 (just in case) and 2. using the appsettings approach. I had read this https://www.gitmemory.com/issue/aws/aws-aspnet-cognito-identity-provider/124/530445186 on the UserPoolClientSecret so I assumed it was optional and I was not using it.

On copying the password, I have been very careful to ensure that the password was copied directly and in addition I tried this same test with different users and on different client accounts, all with the same result.

I will try your appClient settings and let you know the result.

Thank you for your feedback.

[genifycom]

Thanks Ashish,

I found that client secret is absolutely required (it is not optional) and ChangePassword now succeeds.

Apologies for using your time.

Thank you so much for looking at this.

Regards, Dave

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.