Create AWS Cognito user with account status "CONFIRMED" and without email address

Question

How can I create a Cognito user with the account status confirmed using c#? After a user is created the account status displays FORCE_CHANGE_PASSWORD. Another thing is I need to create user without email address.

 AmazonCognitoIdentityProviderClient cognitoProvider = 
            new AmazonCognitoIdentityProviderClient(region);

 string userName = "user";
 string tempPassword = "Temp@3434";
 string newPassword = "RealPass@2019";

 AdminCreateUserRequest adminUserCreateRequest = new AdminCreateUserRequest()
 {
     UserPoolId = poolId,
     Username = userName,
     TemporaryPassword = tempPassword 
 };

 AdminCreateUserResponse signUpResponse = await cognitoProvider.AdminCreateUserAsync(adminUserCreateRequest);

Admin InitiateRequest

 Dictionary<string, string> initialParams = new Dictionary<string, string>();
        initialParams.Add("USERNAME", userName);
        initialParams.Add("PASSWORD", tempPassword);

        AdminInitiateAuthRequest initialRequest = new AdminInitiateAuthRequest()
        {
            AuthFlow = AuthFlowType.ADMIN_NO_SRP_AUTH,
            AuthParameters = initialParams,
            ClientId = appClientId_tenantApi,
            UserPoolId = poolId                
        };

        AdminInitiateAuthResponse resInitAuth = await cognitoProvider.AdminInitiateAuthAsync(initialRequest);

InitiateAuthRresponse has email as a required attribute. {[requiredAttributes, ["userAttributes.email"]]}

But the documentation doesn't say so.

For ADMIN_NO_SRP_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), PASSWORD (required), DEVICE_KEY

Admin Respond to challenge

 var authParameters = new Dictionary<string, string>();
            authParameters.Add("USERNAME", userName);
            authParameters.Add("NEW_PASSWORD", newPassword);

        AdminRespondToAuthChallengeRequest adminAuthRequest = new AdminRespondToAuthChallengeRequest()
        {
            UserPoolId = poolId,
            ClientId = appClientId_tenantApi,
            ChallengeName = ChallengeNameType.NEW_PASSWORD_REQUIRED,
            ChallengeResponses = authParameters,
            Session = session
            };

cognitoProvider.AdminRespondToAuthChallengeAsync(adminAuthRequest);

I am thinking I may missed some user settings in Cognito to avoid email. Any one have similar experience ? or is this not possible to create user without email ?

Answer 1

In case if anyone still looking for answer

1. Initalize Provider.

AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient("*************", "************", Amazon.RegionEndpoint.USWest);    

2. Create user

            AdminCreateUserResponse adminCreateUserResponse = await provider.AdminCreateUserAsync(new AdminCreateUserRequest
            {
                Username = "TestUser",
                TemporaryPassword = "TempPassword@1",
                UserPoolId = "us-west-**********"
            });

3. Authenticate user

  CognitoUserPool userPool = new CognitoUserPool("us-west-***", "***", provider);
            CognitoUser user = new CognitoUser("TestUser", "******", userPool, provider, "**********");


            InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
            {
                Password = "TempPassword@1"
            };
            

            AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest).ConfigureAwait(false);

4. Vaidate user authentication result and get the user AccessToken

if (authResponse.AuthenticationResult == null)
            {
                if (authResponse.ChallengeName == ChallengeNameType.NEW_PASSWORD_REQUIRED)
                {
                    //Console.WriteLine("Enter your desired new password:");
                    string newPassword = "NewPWD@1";//  Console.ReadLine();
                    Dictionary<string, string> att = new Dictionary<string, string>();
                    att.Add("userAttributes.email", "testemail@xyz.com");
                    user.Attributes.Add("preferred_username", "TestUser1");

5. And update the new password using Accesstoken ( post update the User status will be confirmed)

                authResponse = await user.RespondToNewPasswordRequiredAsync(new RespondToNewPasswordRequiredRequest()
                {
                    SessionID = authResponse.SessionID,
                    NewPassword = newPassword,
   
   
                },att);
                accessToken = authResponse.AuthenticationResult.AccessToken;
            }
   

Answer 2

1. During the creation of the user pool, under general settings;attributes as in the photocognito creation on aws one is required to choose the attributes that must be present, i believe in your case the email was selected by default hence the challenge request response you got.

2. The admin create user request requires the client to confirm the email for purposes of verification that the user owns the email.

3. A hack for the same would be to allow users to sign themselves up on your cognito configuration, then sign someone up then follow with a username and password, then proceed to confirm them as an admin

   var signup = await cognitoClient.SignUpAsync(new SignUpRequest
   {
       Username = person.Username,
       ClientId = cognitoOptions.ClientId,
       Password = person.IdNumber,
   });
   
    var confirm = await cognitoClient.AdminConfirmSignUpAsync(new AdminConfirmSignUpRequest
   {
       Username = person.Username,
       UserPoolId = cognitoOptions.UserPoolId
   });