search

aws / aws-aspnet-cognito-identity-provider

ASP.NET Core Identity Provider for Amazon Cognito
https://aws.amazon.com/developer/language/net/
Apache License 2.0
215 stars 89 forks source link

Change email flow with verification turned off #70

Closed andyfurniss4 closed 4 years ago

andyfurniss4 commented 5 years ago

The user registration flow for my application is as follows:

  1. User registers (UserManager.CreateAsync())
  2. Upon completing the registration for, the user is presented with a message saying that their account needs to be approved before they can log in.
  3. An admin will approve their account (currently setting a custom 'approved' attribute to 1) which will change the status of the user to CONFIRMED. Currently I'm just doing this in the Cognito console.
  4. User can then log in
  5. User can go to a 'manage account' page and change their email if they want (email changed with call to UserManager.SetEmailAsync()).

I have disabled verification in Cognito for my user pool: image

I have done this because I don't want the emails to be sent immediately after the user registers, I do actually want them to verify their email but not until the admin approval has taken place. I can't see a way to manually send the email with the .NET Identity API (can you confirm?) so I intend to build my own email system for this at a later time.

The problem I'm having is if the user decides to change their email, and then logs out and tries to log back in with their new email, I get a UserNotConfirmedException. I've checked the status of the user in Cognito and it's still CONFIRMED so I'm not really sure what the correct process is here.

I've also tried adding an extra call to AdminConfirmSignUpAsync() after the user changes their email but I just get an exception saying the user is already CONFIRMED which I guess is expected. However, the user is now in a state where it IS confirmed but can't log in and verification is disabled.

I understand this may not be within the scope of this project and may be an underlying issue but I figured I'd get your input first!

assyadh commented 5 years ago

I'll try to repro this. It may be that the user is confirmed but not the email. These are two different things for Cognito

andyfurniss4 commented 5 years ago

Yeah, I understand they are different things but I would have thought if verification is disabled then it shouldn't matter that the email is not verified? Also, it allowed me to log in before changing the email and at no point has email_verified been 'true'.

ashishdhingra commented 4 years ago

Hi @andyfurniss4,

Good afternoon.

I was going through the issue backlog and came across this issue. I'm not sure if this helps, but there was a similar issue reported in https://github.com/aws-amplify/amplify-js repository where user changes the email address. Someone from Cognito team provided a workaround or reasons this is an issue, please refer https://github.com/aws-amplify/amplify-js/issues/987#issuecomment-531025897. Please see if the other issue provides some help.

Thanks, Ashish

github-actions[bot] commented 4 years ago

This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.