I want to recover a user password in Amazon Cognito.
Resolution
There are two ways to recover a user password in Amazon Cognito:
- Through a verified email or phone number.
- Through a user password through the administrator.
Email or phone number verification
You can use the ForgotPassword API command to recover a user password. The ForgotPassword API command sends a recovery code to a verified email or a verified phone number. The recovery code is valid for one hour. Then, use the ConfirmForgotPassword API command to enter a confirmation code that resets the password.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
AWS CLI commands:
ForgotPassword
aws cognito-idp forgot-password --client-id 38fjsnc484p94kpqsnet7mpld0 --username jane@example.com
Output:
{
"CodeDeliveryDetails": {
"Destination": "j***@e***.com",
"DeliveryMedium": "EMAIL",
"AttributeName": "email"
}
}
ConfirmForgotPassword
aws cognito-idp confirm-forgot-password --client-id 3n4b5urk1ft4fl3mg5e62d9ado --username=diego@example.com --password PASSWORD --confirmation-code CONF_CODE
Note: You must pass --secret-hash in the CLI command if you meet both of the following requirements:
- Your AWS CLI commands have --client-id as a parameter.
- The app client is configured with a secret.
To calculate the secret hash of an app client, see [How do I troubleshoot "Unable to verify secret hash for client
" errors from my Amazon Cognito user pools API?](https://repost.aws/knowledge-center/cognito-unable-to-verify-secret-hash)
Administrator reset
Note: If you're not an administrator, then contact your administrator to complete the following actions.
When you call the AdminResetUserPassword API command, the current password is invalidated, and you must change it. If a user tries to sign in after the API command is called, the app will do the following:
- Get PasswordResetRequiredException back.
- Direct the user to reset the password with the forgot password flow.
Additionally, calling the API results in sending a message to the user with a code to change their password if:
- The user pool has phone verification set up, and
- A verified phone number or email exists for the user.
AWS CLI commands:
AdminResetUserPassword
aws cognito-idp admin-reset-user-password --user-pool-id us-west-2_aaaaaaaaa --username diego@example.com
ConfirmForgotPassword
aws cognito-idp confirm-forgot-password --client-id 3n4b5urk1ft4fl3mg5e62d9ado --username diego@example.com --password PASSWORD --confirmation-code CONF_CODE
AdminSetUserPassword
As the administrator you can also use the AdminSetUserPassword API command to call the user's password in a user pool. The password can be temporary or permanent. If it's temporary, then the user status enters the FORCE_CHANGE_PASSWORD state. When you sign in, the InitiateAuth/AdminInitiateAuth response contains the NEW_PASSWORD_REQUIRED challenge. If you don't sign in before it expires, then you can't sign in, and you must reset the password. After you set a new password, or if the password is permanent, then the user status is set to CONFIRMED.
aws cognito-idp admin-set-user-password --user-pool-id us-west-2_aaaaaaaaa --username diego@example.com --password Hello@123 --permanent