aws cognito invite users

PhilipOGormanPhilipOGorman USMember ✭✭✭

@CShipley I've being playing around with your excellent sample https://github.com/curtisshipley/CognitoForms
Thank so much it is an excellent resource.

I have a slightly different requirement for my app, users cannot self signup, they must be invited by the account owner.
the workflow required is:
1) owner signs in
2) owner invites new user using an email address
3) new user receives email with temporary password
4) new user signs in with temp password and is required to change the password

You code sample covers everything by step 2. I think I need to call the following aws method to invite a user:

AdminCreateUserAsync

but I am unsure how to get the correct AmazonCognitoIdentityProviderClient to make the request?
Any advice on how to o this?
Thanks!

Best Answer

  • PhilipOGormanPhilipOGorman US ✭✭✭
    edited October 2018 Accepted Answer

    @CShipley - thanks for the reply, I think I just figured it out (after lots of fumbling around):

    I have a user that is a member if an admin group, that group has a role with "AmazonCognitoPowerUser"

    The call I am making is:

    `

                var secureProvider = new AmazonCognitoIdentityProviderClient(user.GetCognitoAWSCredentials("Identity pool ID",  RegionEndpoint.USEast1), RegionEndpoint.USEast1);
    
                var result = await secureProvider.AdminCreateUserAsync(new AdminCreateUserRequest
                {
                    DesiredDeliveryMediums = new List<string>() { "EMAIL" },
                    TemporaryPassword = temp,
                    UserAttributes = new List<AttributeType>() { new AttributeType() { Name = "email", Value = "[email protected]" } },
                    Username = "test",
                    UserPoolId = PoolId
                });
    

    `

    So I think the only thing that will be hardcoded is the "Identity pool ID". Does that make sense? That should be safe?

Answers

  • CShipleyCShipley USMember ✭✭

    I'm glad you have found it useful!

    You could create a user programmatically, but you can also do it from the AWS Cognito admin. Just create a new user, give them a password, and make sure you select the checkbox to let them know. The CognitoForms code should handle the situation when they need to enter a new password. (If it doesn't, let me know and I'll update it.)

    If you really want to do it programmatically, then yes, you have to use AminCreateUserAsync. You likely would want to do this on a server because that call requires AWS keys, and you don't want to expose those in an app where someone could decompile them. Also if you need to log on for their behalf using the Admin APIs, then you would want to set up a different client that has the ADMIN NO SRP selected.

    I have some node/typescript commandline utils that I use to create users, reset passwords, etc., that use the node equivalent APIs to create users.

    Does that answer your question?

  • PhilipOGormanPhilipOGorman USMember ✭✭✭
    edited October 2018 Accepted Answer

    @CShipley - thanks for the reply, I think I just figured it out (after lots of fumbling around):

    I have a user that is a member if an admin group, that group has a role with "AmazonCognitoPowerUser"

    The call I am making is:

    `

                var secureProvider = new AmazonCognitoIdentityProviderClient(user.GetCognitoAWSCredentials("Identity pool ID",  RegionEndpoint.USEast1), RegionEndpoint.USEast1);
    
                var result = await secureProvider.AdminCreateUserAsync(new AdminCreateUserRequest
                {
                    DesiredDeliveryMediums = new List<string>() { "EMAIL" },
                    TemporaryPassword = temp,
                    UserAttributes = new List<AttributeType>() { new AttributeType() { Name = "email", Value = "[email protected]" } },
                    Username = "test",
                    UserPoolId = PoolId
                });
    

    `

    So I think the only thing that will be hardcoded is the "Identity pool ID". Does that make sense? That should be safe?

  • CShipleyCShipley USMember ✭✭

    As long as you're not embedding keys into your app other than the identity pool ID, you should be ok.

Sign In or Register to comment.