'AWS Cognito - Resetting User Password Documentation Seems to Contradict Itself

The Problem

I have worked with both AdminResetPassword and ForgotPassword and I found a contradiction in the API documentation that is confusing and seems to indicate there is no current solution for full admin initialized reset password flow.

The AdminResetPassword documentation says:

When a developer calls this API, the current password is invalidated, so it must be changed. If a user tries to sign in after the API is called, the app will get a PasswordResetRequiredException exception back and should direct the user down the flow to reset the password, which is the same as the forgot password flow.

However the ForgotPassword documentation states that ConfirmForgotPassword is part of the forgot password flow, and the ConfirmForgotPassword documentation requires the old password to be passed as part of the request. The password field is described as:

The password sent by a user's request to retrieve a forgotten password.

So, the documentation claims AdminResetPassword and ForgotPassword use the same flow to reset the password, however, in reality, ForgotPassword allows the password to be recovered and AdminResetPassword invalidates the current password. It does not seem possible that the flows after this point could be the same.

The Questions

Is this an error in the documentation or am I misunderstanding how resetting passwords in aws cognito works?

If the two flows mentioned are different, what is the full flow for resetting passwords after they have been invalidated using AdminResetPassword?

boto3amazon-cognitoaws-cognito


Solution 1:[1]

The latest doc says:

SecretHash A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w+=/]+

Required: No

so it is clear that secret hash is not required

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Jianqi

Related Questions

IAM Role + Boto3 + Docker container

how can i get Organization names for the fetched aws organizations for a parent id?

The security token included in the request is expired

Retrieving subfolders names in S3 bucket from boto3

Exclude headers from s3v4 signature calculation

Download a folder from S3 using Boto3

How to use boto3 (or other Python) to list the contents of a _RequesterPays_ S3 bucket?

Why is AWS telling me BucketAlreadyExists when it doesn't?

How to use Boto3 pagination

DiskSpaceUtilization metrics for EC2 instance in python boto script showing empty response

Error "Read-only file system" in AWS Lambda when downloading a file from S3

How to download everything in that folder using boto3

Calculate the size of all files in a bucket S3

S3 Ninja endpoint throws could not connect error when using Boto3 S3 resource

Is there a way to restart an Replication Task in DMS without recreating the task itself?