Amazon.IdentityStore CreateUser Not Sending Email Verification Link

[feardobeardo2]

Describe the bug

When creating a user with the Amazon.IdentityStore API the user does not receive the email verification, we have to go in and manually send it. Not really seeing the point of this API if the end user cannot verify to login. I have also tried enabling Send email OTP just to see if it works and it does not. Only way for the user to get the email is by clicking the button in the IAM Identity Center console.

Expected Behavior

Create user via API, email is sent to user so they can login.

Current Behavior

Create User via API, no email is sent to the user.

Reproduction Steps

CODE SAMPLE

public Amazon.IdentityStore.Model.CreateUserResponse CreateIdentityStoreUser( string emailAddress, string displayName, string firstName, string lastName )
    {
      var identityService = new AmazonIdentityStoreClient( AccessKeyID, accessKeySecret, Amazon.RegionEndpoint.GetBySystemName( RegionEndpoint ) );
      var createUserRequest = new Amazon.IdentityStore.Model.CreateUserRequest
      {
        IdentityStoreId = identityStoreId,
        UserName = emailAddress,
        Emails = new List<Amazon.IdentityStore.Model.Email>
        {
          new Amazon.IdentityStore.Model.Email()
          {
             Primary = true,
             Type = "Work",
             Value = emailAddress
          }
        },
        DisplayName = displayName,
        Name = new Amazon.IdentityStore.Model.Name()
        {
          FamilyName = lastName,
          GivenName = firstName
        }
      };
      var createUserResponse = identityService.CreateUser( createUserRequest );

      return createUserResponse;

    }

Possible Solution

No response

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.IdentityStore 3.7.300.68

Targeted .NET Platform

net452

Operating System and version

Windows

[ashishdhingra]

AWSSDK.IdentityStore package is autogenerated from service model. Most likely a service API or configuration issue. Needs reproduction.

[ashishdhingra]

@feardobeardo2 Good afternoon. Thanks for reporting the issue. This appears to be reproducible using code below:

using Amazon;
using Amazon.IdentityStore;
using Amazon.IdentityStore.Model;

var response = await CreateIdentityStoreUser("d-<<some-id>>", RegionEndpoint.USEast1, "testemail@testdomain.com", "Test User", "Test", "User");
Console.WriteLine(response.UserId);
async Task<CreateUserResponse> CreateIdentityStoreUser(string identityStoreId, RegionEndpoint regionEndpoint, string emailAddress, string displayName, string firstName, string lastName)
{
    var identityService = new AmazonIdentityStoreClient(regionEndpoint);
    var createUserRequest = new CreateUserRequest
    {
        IdentityStoreId = identityStoreId,
        UserName = emailAddress,
        Emails = new List<Email>
        {
          new Email()
          {
             Primary = true,
             Type = "Work",
             Value = emailAddress
          }
        },
        DisplayName = displayName,
        Name = new Name()
        {
            FamilyName = lastName,
            GivenName = firstName
        }
    };
    return await identityService.CreateUserAsync(createUserRequest);
}

After user is successfully created, examining user details in AWS console displays below banner at the top:

Email not verified
Users must first verify their email address before they can begin to use certain features such as completing email-based two-step verification during sign-in.

There doesn't appear to be any service API operation per Identity Store API Reference to send email verification link to user.

Upon investigating further (thanks for article Add a layer of security for AWS IAM Identity Center user portal sign-in with context-aware email-based verification), here are the additional steps required:

• Enable email OTP for standard authentication.
  
• After user is created using CreateUser API (i.e. using above code), they can try login using AWS access portal URL. This is available from Identity Center settings and looks something like https://<<identity-store-id>>.awsapps.com/start.
• Once user tries to login using their registered email address, they would be prompted to verify email using verification code. This is when the verification email with OTP would be sent.
  • Once verified, user would be prompted to setup new password and username.

So CreateUser only creates users and depending on the Identity Store setting, verification link is sent to users while they try to sign-in for the first time.

I was able to test the above flow at my end and verified that it works successfully.

Hope this helps.

Thanks,
Ashish