Closed genifycom closed 3 years ago
Transferring this issue to https://github.com/aws/aws-aspnet-cognito-identity-provider
Hi @genifycom,
Good morning.
Thanks for reporting the issue.
In order to effectively reproduce this issue, please share the following:
In the meanwhile, I will try to do some analysis at my end.
Thanks, Ashish
On Nuget packages first, I have to use:
`
`
because updating to the Amazon.Extensions.CognitoAuthentication 2.0.0 version causes a conflict
Restoring packages for C:\Dev...\MyApp.csproj... NU1107: Version conflict detected for AWSSDK.Core. Install/reference AWSSDK.Core 3.5.1 directly to project BVCognito to resolve this issue. MyApp -> Amazon.Extensions.CognitoAuthentication 2.0.0 -> AWSSDK.CognitoIdentityProvider 3.5.0.2 -> AWSSDK.Core (>= 3.5.1 && < 3.6.0) MyApp -> Amazon.AspNetCore.Identity.Cognito 1.0.5 -> AWSSDK.Extensions.NETCore.Setup 3.3.100.1 -> AWSSDK.Core (>= 3.3.100 && < 3.4.0). Package restore failed. Rolling back package changes for 'MyApp'.
Hi @genifycom,
Good morning.
I have tried to reproduce the issue reported by you using the sample solution provided in the repository https://github.com/aws/aws-aspnet-cognito-identity-provider/tree/master/samples. Using (upgrading) the mentioned NuGet package versions, the ChangePassword scenario works fine. The user pool has been configured with:
I'm not sure what to suggest since the issue is not reproducible. Is it possible to share the sample code solution, and all of you user pool and app client settings in AWS Cognito console?
Thanks, Ashish
Hi Ashish,
I have the sample project created and tested and it continues to get a password mismatch.
How can I dump the Cognito User Pool settings? Screen shots of each of the pages?
Also the project obviously contains my keys so how do I get this to you in a testable state, just xxx out the private information?
Please advise.
Thanks< Dave
Hi @genifycom,
You may want to exclude the sensitive information from your code, including keys, and share the minimal code to reproduce the issue. For Cognito user pool settings, you may list down the high level information (screenshots are preferable though).
Thanks, Ashish
Sure. Starting with the User Pool. I tried to pick the minimal requirements just using email.
Then I create a user with:
aws cognito-idp admin-create-user --user-pool-id
Running the app, the initial Login using email and the temporary password works fine and I see
This then flips me over to the ChangePassword screen. I use the email, Test1_Test2 as the current password (the temporary one) and the new password AltTest_1199
Here, the: var user = await _userManager.FindByEmailAsync(Input.Email);
works and returns the user.
But the next part var result = await _userManager.ChangePasswordAsync(user, Input.CurrentPassword, Input.NewPassword);
fails like this
This project uses the Identity Area from the Cognito samples project. AWSCognitoTest.zip
Hi @genifycom,
I will try to reproduce the issue with the user pool settings you provided, I guess these are similar to one I used earlier (and the change password flow worked fine for me), but would give it one more try.
Thanks, Ashish
Ok thank you. I have tried this multiple times as I really do not want to have to use username.
Hi @genifycom,
I tried using your sample code and the change password flow works fine for me (please refer screenshot below):
NOTE: I used the appsettings.Development.json
as shown below, instead of hardcoding the Cognito IDP values in code:
{
"AWS": {
"Region": "<region>",
"UserPoolClientId": "<userpool_clientid>",
"UserPoolClientSecret": "<userpool_clientsecret>",
"UserPoolId": "<userpool_id>"
}
}
Hence, I commented the below code (except services.AddCognitoIdentity()
call):
//#region Cognito
//var cognitoIdentityProvider = new AmazonCognitoIdentityProviderClient(aws_access_key, aws_secret_key, USWest2);
//var cognitoUserPool = new CognitoUserPool(PFAdminUsersPoolId, PFAdminUsersClientId, cognitoIdentityProvider);
////https://github.com/aws/aws-aspnet-cognito-identity-provider
//// Adds your own instance of Amazon Cognito clients cognitoIdentityProvider and cognitoUserPool are variables you would have instantiated yourself
//services.AddSingleton<IAmazonCognitoIdentityProvider>(cognitoIdentityProvider);
//services.AddSingleton<CognitoUserPool>(cognitoUserPool);
// Adds Amazon Cognito as Identity Provider
//https://aws.amazon.com/blogs/developer/now-generally-available-the-asp-net-core-identity-provider-for-amazon-cognito/
services.AddCognitoIdentity();
//#endregion Cognito
I do notice that you are not using client secret for you user pool app client.
Here are my app client settings (you may compare the settings at your end):
The error in your screenshot indicates the incorrect password. I'm not sure if you are typing the correct password in the change password flow. Everything works fine at my end. I'm not sure what further guidance could be provided here.
Thanks, Ashish
Ok, I will try two things. 1. a region other then us-west-2 (just in case) and 2. using the appsettings approach. I had read this https://www.gitmemory.com/issue/aws/aws-aspnet-cognito-identity-provider/124/530445186 on the UserPoolClientSecret so I assumed it was optional and I was not using it.
On copying the password, I have been very careful to ensure that the password was copied directly and in addition I tried this same test with different users and on different client accounts, all with the same result.
I will try your appClient settings and let you know the result.
Thank you for your feedback.
Thanks Ashish,
I found that client secret is absolutely required (it is not optional) and ChangePassword now succeeds.
Apologies for using your time.
Thank you so much for looking at this.
Regards, Dave
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
I have been testing with Amazon.AspNetCore.Identity.Cognito and Amazon.Extensions.CognitoAuthentication in a DotNet Core 3.1 Lambda Web Application.
If I create a Cognito User Pool using "Username - Users can use a username and optionally multiple alternatives to sign up and sign in." then the ChangePasswordAsync succeeds in changing the password.
However, if I choose "Email address or phone number - Users can use an email address or phone number as their "username" to sign up and sign in.", and "Allow email addresses" then:
var user = await _userManager.FindByEmailAsync(Input.Email);
succeeds and find the correct user, but the:
var result = await _userManager.ChangePasswordAsync(user, Input.CurrentPassword, Input.NewPassword);
always fails with PasswordMismatch
The current password is correct and the new password conforms to the rules.
I would like to use email as the username.
In addition, it I set the password manually using aws cognito-idp admin-set-user-password then the
var result = await _signInManager.PasswordSignInAsync(Input.UserName, Input.Password, Input.RememberMe, lockoutOnFailure: false);
fails with invalid login attempt. I have tried with both the email and the sub for the user but no go.
Has anyone else seen this issue?