Checkboxes for prior research
Describe the bug
When a Cognito User Pool has MFA set to REQUIRED, the AdminGetUser API returns an empty UserMFASettingList array if the user has disabled their MFA methods (via AdminSetUserMFAPreference).
I cannot find anywhere in the documentation that notes this nuance, but I did find an issue from the archived aws-sdk repository that makes reference to this. I'd like to bring this back up for discussion, as I do not agree with the resolution of this being the expected behaviour as well as not making reference in the docs.
This issue leads to a behavioural dissonance between what the data says and what the user experiences and makes it impossible to make a conclusive determination about the current MFA status of a user.
- In a support role, it is more challenging to assist the user when you do not have access to all the data you should.
- A consuming application has no way to get the currently configured MFA methods, for use in custom guided workflows or data-driven UI elements.
- The AWS Cognito user management dashboard does not even reflect the correct values, nor does it follow a consistent pattern when viewing a user's MFA configuration
- SMS is shown to be enabled, regardless of the enabled/disabled status and is instead driven by the existence of a phone number on the account
- Other factors honour the enabled/disabled status with no indication that the method is still configured and potentially still in use.
Regression Issue
SDK version number
@aws-sdk/client-cloudwatch@3.1011.0
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v22.16.0
Reproduction Steps
Prerequisites:
- User has at least one MFA method setup
- User Pool has MFA set to REQUIRED
import { CognitoIdentityProvider } from '@aws-sdk/client-cognito-identity-provider';
const client = new CognitoIdentityProvider({
...
});
export const getUserMfaEnabled = async (username) => {
await client.adminSetUserMFAPreference({
UserPoolId: '<USER_POOL_ID>',
Username: username,
SMSMfaSettings: {
Enabled: false
},
EmailMfaSettings: {
Enabled: false
},
SoftwareTokenMfaSettings: {
Enabled: false
}
});
const user = await client.adminGetUser({
UserPoolId: '<USER_POOL_ID>',
Username: username
});
// returns empty array
console.log(user.UserMFASettingList)
};
Observed Behavior
UserMFASettingList is empty.
Expected Behavior
UserMFASettingList reflect the values that be used during sign-in.
It may be more prudent to return more that just the list, so the consumer application can make its own determination with the data.
Possible Solution
Return UserMFASettingList with all MFA methods and the enabled/disabled status.
Additional Information/Context
No response
Checkboxes for prior research
Describe the bug
When a Cognito User Pool has MFA set to REQUIRED, the
AdminGetUserAPI returns an empty UserMFASettingList array if the user has disabled their MFA methods (viaAdminSetUserMFAPreference).I cannot find anywhere in the documentation that notes this nuance, but I did find an issue from the archived
aws-sdkrepository that makes reference to this. I'd like to bring this back up for discussion, as I do not agree with the resolution of this being the expected behaviour as well as not making reference in the docs.This issue leads to a behavioural dissonance between what the data says and what the user experiences and makes it impossible to make a conclusive determination about the current MFA status of a user.
Regression Issue
SDK version number
@aws-sdk/client-cloudwatch@3.1011.0
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v22.16.0
Reproduction Steps
Prerequisites:
Observed Behavior
UserMFASettingListis empty.Expected Behavior
UserMFASettingListreflect the values that be used during sign-in.It may be more prudent to return more that just the list, so the consumer application can make its own determination with the data.
Possible Solution
Return
UserMFASettingListwith all MFA methods and the enabled/disabled status.Additional Information/Context
No response