无法通过AWS Cognito API重新发送验证码 [英] Can't resend verification code through AWS Cognito API
问题描述
I have an AWS Cognito User Pool where users are created through Cognito's API using the AdminCreateUser action, which works fine. This sends out a verification e-mail to the user, containing a temporary password. So far so good.
Now a user did not receive this verification e-mail, so I need to send it again, using the ResendConfirmationCode action. I am attempting to do that with the below PHP code.
$userPoolId = '[POOL_ID_HERE]';
$backendAppId = '[APP_ID_HERE]';
$clientSecret = '[SECRET_HERE]';
$username = '[UUID_HERE]';
$secretHash = base64_encode(hash_hmac('sha256', $username . $backendAppId, $clientSecret, true));
$cognitoIdp->resendConfirmationCode([
'ClientId' => $backendAppId,
'SecretHash' => $secretHash,
'Username' => $username,
]);
这给了我以下错误:
Aws/CognitoIdentityProvider/Exception/CognitoIdentityProviderException与消息错误执行"ResendConfirmationCode"" https://cognito-idp.eu-central-1.amazonaws.com ;AWS HTTP错误:客户端错误:
POST https://cognito-idp.eu-central-1.amazonaws.com导致400错误的请求响应:{"__type":"NotAuthorizedException",消息":无法重新发送此用户的确认代码} NotAuthorizedException(客户端):无法重新发送该用户的确认码-{"__type":"NotAuthorizedException",消息":无法重新发送该用户的确认码}'
Aws/CognitoIdentityProvider/Exception/CognitoIdentityProviderException with message 'Error executing "ResendConfirmationCode" on "https://cognito-idp.eu-central-1.amazonaws.com"; AWS HTTP error: Client error:
POST https://cognito-idp.eu-central-1.amazonaws.comresulted in a400 Bad Requestresponse: {"__type":"NotAuthorizedException","message":"Can't resend confirmation code for this user"} NotAuthorizedException (client): Can't resend confirmation code for this user - {"__type":"NotAuthorizedException","message":"Can't resend confirmation code for this user"}'
我正在使用对用户池具有以下IAM权限的用户的凭据:
I am using the credentials of a user which has the following IAM permissions for the user pool:
- cognito-idp:AdminDeleteUser
- cognito-idp:AdminCreateUser
- cognito-idp:AdminAddUserToGroup
- cognito-idp:ResendConfirmationCode
如果我使用 IAM策略模拟器,它使我获得绿灯,表示一切正常.据我所知, cognito-idp:ResendConfirmationCode 操作应该足够了,因为在创建用户时发送验证电子邮件会很好.
If I test the permissions using the IAM Policy Simulator, it gives me the green light, saying that everything is OK. To my knowledge, the cognito-idp:ResendConfirmationCode action should be sufficient, as sending out the verification e-mail works fine when creating the user.
我在这里做错了什么?另一种方法是再次调用AdminCreateUser操作,将 MessageAction 参数设置为 RESEND .这将迫使验证电子邮件重新发送给现有用户,但是如果可以使用,我更喜欢使用ResendConfirmationCode操作.
What am I doing wrong here? An alternative approach would be to invoke the AdminCreateUser action again, setting the MessageAction parameter to RESEND. This would force the verification e-mail to be resent for existing users, but I prefer using the ResendConfirmationCode action if I can get it to work.
有什么想法吗?谢谢!
推荐答案
我了解您希望Web应用程序最终用户在登录后由于某种原因由于某种原因而没有收到确认码,因此他们再次收到确认码.,并且我也了解到,当您尝试从使用PHP SDK的代码中运行ResendConfirmationCode API调用时,会收到"NotAuthorizedException".
I understand that you would like your web application end users to receive a confirmation code again if they do not get the confirmation code due to some reason after they sign-up, and I also understand that you are getting the "NotAuthorizedException" when you are trying to run the ResendConfirmationCode API call from your code that uses the PHP SDK.
ResendConfirmationCode API调用[1]可以在注册API调用[2]之后使用,它不是AdminCreateUser Authentication流的一部分,这就是引发错误的原因.AdminCreateUser API调用将新用户的状态更改为强制更改密码状态",并且在使用AdminCreateUser创建新用户后,ResendConfirmationCode调用或ForgotPassword调用均无法正常工作.
The ResendConfirmationCode API call[1] can be used after the sign-up API call[2], and it is not a part of the AdminCreateUser Authentication flow, which is why the error is thrown. The AdminCreateUser API call changes the status of the new user to the "Force Change Password State", and neither the ResendConfirmationCode call or the ForgotPassword call can work after AdminCreateUser is used for creating a new user.
如果您希望最终用户再次获得确认代码,则可以使用AdminCreateUser API调用本身,并在PHP代码的MessageAction中设置"RESEND"标志.根据我对Amazon Cognito的了解,在此特定用例中,将没有其他方法可以再次发送验证消息.根据官方文档,PHP中的API调用示例如下[3]:
If you would like your end-users to get the confirmation code again, you could use the AdminCreateUser API call itself and set the "RESEND" flag in MessageAction in the PHP code. There would be no other way to send the verification message again in this particular use-case, as per my understanding of Amazon Cognito. An example of the API call in PHP according to the official documentation is as follows[3]:
$result = $client->adminCreateUser([
'DesiredDeliveryMediums' => ['<string>', ...],
'ForceAliasCreation' => true || false,
'MessageAction' => 'RESEND|SUPPRESS',
'TemporaryPassword' => '<string>',
'UserAttributes' => [
[
'Name' => '<string>', // REQUIRED
'Value' => '<string>',
],
// ...
],
'UserPoolId' => '<string>', // REQUIRED
'Username' => '<string>', // REQUIRED
'ValidationData' => [
[
'Name' => '<string>', // REQUIRED
'Value' => '<string>',
],
// ...
],
]);
在将"MessageAction"设置为"RESEND"之后,最终用户应该能够在其末端再次收到验证消息.
After using setting 'MessageAction' as 'RESEND', the end-users should be able to receive the verification message again on their end.
[1]. https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/resend-confirmation-code.html
[2]. https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/sign-up.html
[3]. https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#admincreateuser
这篇关于无法通过AWS Cognito API重新发送验证码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
