Goal

I have a newly created user in AWS Cognito and want to start invoking calls as him - including new password creation.

Solution

For such newly created user first call to the InitiateAuth API like this:

POST https://cognito-idp.[YOUR-REGION-GOES-HERE].amazonaws.com/
Content-Type: application/x-amz-json-1.1
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth

{
    "AuthFlow" : "USER_PASSWORD_AUTH",
    "ClientId" : "[YOUR-CLIENT-ID-FROM-COGNITO-USER-POOL]".
    "AuthParameters" : {
        "USERNAME" : "pnowicki",
        "PASSWORD" : [YOUR_PASSWORD_GOES_HERE]
    },

}

will return a response similar to this:

{
  "ChallengeName": "NEW_PASSWORD_REQUIRED",
  "ChallengeParameters": {
      "USER_ID_FOR_SRP": "pnowicki", 
      "requiredAttributes": "[\"userAttributes.email\"]",
      "userAttributes":"{\"email\":\"\"}"
  },
  "Session":"[LONG_VALUE_COMES_HERE]"}

That is a sample response for the user with username pnowicki that has an email configured as a required attribute.

Now you need to invoke RespondToAuthChallenge in order to configure the new password:

POST https://cognito-idp.eu-central-1.amazonaws.com/
Content-Type: application/x-amz-json-1.1
X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge

{
  "ChallengeName": "NEW_PASSWORD_REQUIRED",
  "ClientId": "[YOUR-CLIENT-ID-FROM-COGNITO-USER-POOL]",
  "ChallengeResponses": {
      "USERNAME": "pnowicki",
      "NEW_PASSWORD": "[YOUR_NEW_PASSWORD_GOES_HERE]",
      "userAttributes.email": "[EMAIL_GOES_HERE]"
  },
  "Session": "[THE_SAME_LONG_VALUE_AS_ABOVE_COMES_HERE]"
}

As a response, you should now get the AccessToken you can use as an Authorization Bearer in consecutive calls.