In AWS Cognito set temporary password for existing user and set status to "Enabled / FORCE_CHANGE_PASSWORD"

Question

Is there an admin api to set a temporary password for an existing user and set the account back to "Enabled / FORCE_CHANGE_PASSWORD"?

We are in the early stages of changing authentication in an old winform app to use AWS Cognito. We are not allowed to count on users having email or sms (plant floor). We have created new users in the pool and supplied a first time temporary password. The users are in "Enabled / FORCE_CHANGE_PASSWORD" status. We tested this and the first time they log in with temp password we get the Cognito challenge and they then get the enter new password screen.

I cannot find any page or doc besides AdminCreateUser that sets password and status of account. All seem to rely on flow that involves verified email or phone.

My "google-foo" may be off so asking the question.

Here is the code in a console app we created to add the user...

            var request = new AdminCreateUserRequest()
            {
                Username = user.COGNITO_ID,
                UserPoolId = COGNITO_POOL_ID_USEAST,
                TemporaryPassword = user.Password
            };

            var cognitoClient = new AmazonCognitoIdentityProviderClient(creds, Amazon.RegionEndpoint.USEast1);

            var result = cognitoClient.AdminCreateUserAsync(request).Result;

            return "User created as Enabled / FORCE_CHANGE_PASSWORD";

I could delete and re-add the user (they have no attributes) but want to avoid this.

Answer 1

You can use AdminUpdateUserAttributes to update the Account Status to FORCE_CHANGE_PASSWORD. If that doesn't work you can simple add a custom attribute which acts as a flag for accounts you want to disable. Then you can simply add a lambda post login which checks for this flag and forces user to change his password.