AWS Cognito UserMFASettingList field of AdminGetUserResponse is empty

lgolubenkobit commented 5 months ago

Describe the bug

I have the same problem described here, not only with MFASettingList, also with mfaOptions and preferredMfaSetting StackOverflow

After login on hosted UI, i've configured TOTP App as 2FA, but when invoke, by sdk, adminGetUser or getUser, attributes are null or empty

Expected Behavior

Return preferred MFA and available options

Current Behavior

Attributes are null or empty MFASettingList: [] mfaOptions: [] preferredMfaSetting: null

Reproduction Steps

Login on hosted UI and configure 2FA, Invoke adminUserInfo vía SDK.

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.21.12

JDK version used

Java 8

Operating System and version

KDE Plasma

debora-ito commented 5 months ago

@lgolubenkobit I'll need more information in order to help you out.

Can you please provide a code sample I can use to reproduce the issue?
Are you able to reproduce in a local environment? If so, can you enable the verbose wirelogs and share the response of a AdminGetUser call? Please make sure to redact any sensitive information, like access keys.

According to the API Reference, mfaOptions is no longer supported, so this field won't return values.

lgolubenkobit commented 5 months ago

When invoke this function is expected that returns which method choose user or available options enabled in pool

   public AdminGetUserResponse getUserByUuid(String userSub) {
        AdminGetUserRequest adminGetUserRequest = AdminGetUserRequest.builder()
                .userPoolId(cognitoPoolId)
                .username(userSub)
                .build();

        return cognitoClient.adminGetUser(adminGetUserRequest);
    }

but after invoke

System.err.println("*********************************************************************************************");
AdminGetUserResponse response = cognitoUtil.getUserByUuid("");
System.err.println("*********************************************************************************************");
for (AttributeType a : response.userAttributes()) {
    System.err.println(a.name() + " " + a.value());
}
System.err.println();
System.err.println("response: " + response);
System.err.println();
System.err.println("userStatusAsString: " + response.userStatusAsString());
System.err.println("hasMFASettingList: " + response.hasUserMFASettingList());
System.err.println("MFASettingList: " + response.userMFASettingList());
System.err.println("hasMfaOptions: " + response.hasMfaOptions());
System.err.println("mfaOptions: " + response.mfaOptions());
System.err.println("preferredMfaSetting: " + response.preferredMfaSetting());
System.err.println();
            System.err.println("*********************************************************************************************");

this is the response

*********************************************************************************************
2024-02-02 11:32:27.513 DEBUG 414547 --- [           main] s.a.a.c.i.ExecutionInterceptorChain      : Creating an interceptor chain that will apply interceptors in the following order: [software.amazon.awssdk.core.internal.interceptor.HttpChecksumValidationInterceptor@302ab67e, software.amazon.awssdk.awscore.interceptor.HelpfulUnknownHostExceptionInterceptor@28058dd0, software.amazon.awssdk.awscore.eventstream.EventStreamInitialRequestInterceptor@735d1db7, software.amazon.awssdk.awscore.interceptor.TraceIdExecutionInterceptor@4040559d, software.amazon.awssdk.services.cognitoidentityprovider.endpoints.internal.CognitoIdentityProviderResolveEndpointInterceptor@253c82ad, software.amazon.awssdk.services.cognitoidentityprovider.endpoints.internal.CognitoIdentityProviderRequestSetEndpointInterceptor@2153f0d7]
2024-02-02 11:32:27.848 DEBUG 414547 --- [           main] s.a.a.c.i.ExecutionInterceptorChain      : Interceptor 'software.amazon.awssdk.services.cognitoidentityprovider.endpoints.internal.CognitoIdentityProviderRequestSetEndpointInterceptor@2153f0d7' modified the message with its modifyHttpRequest method.
2024-02-02 11:32:27.992 DEBUG 414547 --- [           main] software.amazon.awssdk.request           : Sending Request: DefaultSdkHttpFullRequest(httpMethod=POST, protocol=https, host=cognito-idp.us-east-1.amazonaws.com, encodedPath=/, headers=[amz-sdk-invocation-id, Content-Length, Content-Type, User-Agent, X-Amz-Target], queryParameters=[])
2024-02-02 11:32:28.009 DEBUG 414547 --- [           main] s.a.a.c.i.io.SdkLengthAwareInputStream   : Specified InputStream length of 86 has been reached. Returning EOF.
2024-02-02 11:32:28.049 DEBUG 414547 --- [           main] s.amazon.awssdk.auth.signer.Aws4Signer   : AWS4 Canonical Request: POST
/

amz-sdk-invocation-id: ********
amz-sdk-request:attempt=1; max=4
content-length:86
content-type:application/x-amz-json-1.1
host:cognito-idp.us-east-1.amazonaws.com
x-amz-date:20240202T143228Z
x-amz-target:AWSCognitoIdentityProviderService.AdminGetUser

amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target
********
2024-02-02 11:32:28.063 DEBUG 414547 --- [           main] s.amazon.awssdk.auth.signer.Aws4Signer   : AWS4 String to sign: *******
20240202T143228Z
20240202/us-east-1/cognito-idp/aws4_request
*******
2024-02-02 11:32:28.401 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Connecting socket to cognito-idp.us-east-1.amazonaws.com/54.166.64.53:443 with timeout 2000
2024-02-02 11:32:28.776 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Enabled protocols: [TLSv1.3, TLSv1.2]
2024-02-02 11:32:28.777 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2024-02-02 11:32:28.779 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : socket.getSupportedProtocols(): [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello], socket.getEnabledProtocols(): [TLSv1.3, TLSv1.2]
2024-02-02 11:32:28.782 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Starting handshake
2024-02-02 11:32:29.784 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     : Secure session established
2024-02-02 11:32:29.785 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  negotiated protocol: TLSv1.2
2024-02-02 11:32:29.786 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2024-02-02 11:32:29.787 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  peer principal: CN=cognito-idp.us-east-1.amazonaws.com
2024-02-02 11:32:29.788 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  peer alternative names: [cognito-idp.us-east-1.amazonaws.com, cognito-idp-fips.us-east-1.amazonaws.com]
2024-02-02 11:32:29.788 DEBUG 414547 --- [           main] s.a.a.h.a.i.conn.SdkTlsSocketFactory     :  issuer principal: CN=Amazon RSA 2048 M02, O=Amazon, C=US
2024-02-02 11:32:29.795 DEBUG 414547 --- [           main] s.a.a.h.a.internal.net.SdkSslSocket      : created: cognito-idp.us-east-1.amazonaws.com/54.166.64.53:443
2024-02-02 11:32:30.118 DEBUG 414547 --- [           main] software.amazon.awssdk.requestId         : Received successful response: 200, Request ID: *******, Extended Request ID: not available
2024-02-02 11:32:30.120 DEBUG 414547 --- [           main] software.amazon.awssdk.request           : Received successful response: 200, Request ID: *******, Extended Request ID: not available
*********************************************************************************************
sub *******
address *******
birthdate 01/01/1970
email_verified true
gender Femenino
name *****
phone_number_verified true
phone_number ********
family_name *********
email *******

response: AdminGetUserResponse(Username=*** Sensitive Data Redacted ***, UserAttributes=[AttributeType(Name=sub, Value=*** Sensitive Data Redacted ***), AttributeType(Name=address, Value=*** Sensitive Data Redacted ***), AttributeType(Name=birthdate, Value=*** Sensitive Data Redacted ***), AttributeType(Name=email_verified, Value=*** Sensitive Data Redacted ***), AttributeType(Name=gender, Value=*** Sensitive Data Redacted ***), AttributeType(Name=name, Value=*** Sensitive Data Redacted ***), AttributeType(Name=phone_number_verified, Value=*** Sensitive Data Redacted ***), AttributeType(Name=phone_number, Value=*** Sensitive Data Redacted ***), AttributeType(Name=family_name, Value=*** Sensitive Data Redacted ***), AttributeType(Name=email, Value=*** Sensitive Data Redacted ***)], UserCreateDate=2024-01-22T19:43:23.504Z, UserLastModifiedDate=2024-01-23T18:30:25.532Z, Enabled=true, UserStatus=CONFIRMED, MFAOptions=[MFAOptionType(DeliveryMedium=SMS, AttributeName=phone_number)])

userStatusAsString: CONFIRMED
hasMFASettingList: false
MFASettingList: []
hasMfaOptions: true
mfaOptions: [MFAOptionType(DeliveryMedium=SMS, AttributeName=phone_number)]
preferredMfaSetting: null

*********************************************************************************************

Both options are enabled on pool, and SMS is used by the user

I know that, according to documentation, mfaOptions is deprecated, but others fileld must return value according what factor choose user after first login.

debora-ito commented 4 months ago

@lgolubenkobit thank you for the additional logs.

The observations in the StackOverflow answer make sense. Looking at the logs you provided, the 'UserMFASettingList' and 'PreferredMfaSetting' are not part of the AdminGetUser response initially:

response: AdminGetUserResponse(
    Username=*** Sensitive Data Redacted ***, 
    UserAttributes=[...], 
    UserCreateDate=2024-01-22T19:43:23.504Z, 
    UserLastModifiedDate=2024-01-23T18:30:25.532Z, 
    Enabled=true, 
    UserStatus=CONFIRMED, 
    MFAOptions=[MFAOptionType(DeliveryMedium=SMS, AttributeName=phone_number)]
)

but they will get populated after calling AdminSetUserMfaPreference.

I'll reach out to the Cognito team to comment on this behavior, to confirm if it's expected. If it is, I'll ask to make it clear in the AdminGetUser API Reference.

I'll also transfer this issue to the central aws/aws-sdk repo, since it's a service side issue with cross-SDK impact.

debora-ito commented 4 months ago

P116943917

debora-ito commented 3 months ago

@lgolubenkobit The Cognito team confirmed the behavior is expected.

As for my ask to clarify in the documentation, they said they don't see the confusion. But I'll push back on that.

I'll go ahead and close this, as there's nothing else pending from the SDK team. Feel free to reach out if you have any other question.

github-actions[bot] commented 3 months ago

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

aws / aws-sdk