AWS Cognito-重置用户MFA [英] AWS Cognito - reset user MFA
问题描述
我有一个Cognito用户池,该用户池的MFA设置为 Required ,且仅 TOTP (即没有SMS)。
I have a Cognito user pool which has MFA set to Required with TOTP only (i.e. no SMS).
我的问题是如何为用户重置MFA?例如,如果用户丢失了手机,却又无从登录,该怎么办?
My question is how do I reset the MFA for a user? For example what if the user loses his phone so he doesn't have anyway to login.
我尝试过重设密码,但只能重设密码,而不会重设密码
I have tried reset password but that only resets the password, it doesn't remove the MFA.
在此 AWS文档,它表示
注意该API当前不提供删除TOTP软件令牌操作。计划在将来的版本中使用此功能。使用SetUserMFAPreference禁用单个用户的TOTP MFA。
NOTE A delete TOTP software token operation is not currently available in the API. This functionality is planned for a future release. Use SetUserMFAPreference to disable TOTP MFA for an individual user.
所以我尝试了 SetUserMFAPreference 和 AdminSetUserMFAPreference ,它们只返回200 OK,但实际上并未禁用MFA。我猜这是由于用户池中MFA设置为必需。
So I tried SetUserMFAPreference and AdminSetUserMFAPreference, they just return 200 OK but doesn't actually disable the MFA. I guess it's due to the user pool has MFA set to Required.
推荐答案
此时,由于AWS不支持重置MFA(如果您的用户池需要MFA,请使用 AdminSetUserMFAPreference 禁用MFA会返回200 OK,但不会执行任何操作),唯一的方法是使用可选的MFA创建一个新的用户池(您必须创建一个新的用户池,因为从必需更改为 optional <一旦创建用户池,就禁止使用/ code>。然后,使用新的用户池,您必须在代码中手动执行MFA(如果需要的话)。
At this point, since AWS does not support resetting the MFA (if your user pool requires MFA - disabling MFA using AdminSetUserMFAPreference will return 200 OK but it will do nothing), the only way to do this is to create a new user pool with optional MFA (you have to create a new one since changing from required to optional is prohibited once the user pool is created). Then with the new user pool, you have to enforce the MFA (if that's something that you want) manually within your code.
为此,一旦用户成功登录,并且返回对象中包含令牌,则必须调用 AssociateSoftwareToken 而不是返回令牌并开始MFA注册过程。令牌(如 IdToken )仅在它们成功完成对 AdminRespondToAuthChallenge 的调用后才会返回给用户。
For that, once the user logs in successfully and the return object has the tokens in it, you have to call AssociateSoftwareToken instead of returning the tokens and start the MFA registration process. The tokens (like IdToken) will only be returned to the user when they managed to complete the call to AdminRespondToAuthChallenge successfully.
底线,带有可选的MFA, AdminSetUserMFAPreference 将起作用。这是在AWS上的用户池中重置MFA的唯一方法(此时)。
Bottom line, with the optional MFA, the AdminSetUserMFAPreference will work. And this is the only way to reset MFA in a user pool on AWS (at this point).
这篇关于AWS Cognito-重置用户MFA的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
