search

aws-amplify / amplify-flutter

A declarative library with an easy-to-use interface for building Flutter applications on AWS.
https://docs.amplify.aws
Apache License 2.0
1.32k stars 248 forks source link

NotAuthorizedServiceException when answering NEW_PASSWORD_REQUIRED challenge #4890

Closed JorgeAndresDiazz closed 4 months ago

JorgeAndresDiazz commented 5 months ago

Description

I'm using Amplify Flutter SDK to manage custom auth flow through Cognito. I have a user in my user pool that has confirmation status = Force change password. When I want to log in using such user and I answer the first custom challenge (i.e. MY_OTP_CHALLENGE), it works by calling confirmSignIn(...) but then, after receiving a second custom challenge (i.e. NEW_PASSWORD_REQUIRED) I get the following exception:

           AuthenticationException{message: NotAuthorizedServiceException
           "message": "Invalid session provided for the user.",
         "underlyingException": "NotAuthorizedException {\n  message=Invalid session provided for the user.,\n}"

And password cannot be changed.

  1. How can I answer to this challenge and let the user set a new password from my Flutter mobile app to a Lambda Trigger?
  2. On the other hand, I have another user that has Confirmation Status = Confirmed, and I want to answer a PASSWORD_VERIFIER challenge because this is the first challenge I've set up in my Lambda Trigger as per docs (https://docs.amplify.aws/gen1/flutter/prev/build-a-backend/auth/sign-in-custom-flow/ ). How can I do this?

You can see both Flutter code and Lambda Trigger implementations attached below.

Screenshot 2024-05-14 at 5 50 54 PM

Captura de pantalla 2024-05-14 a la(s) 5 54 48 p  m (3)

This is the amplifyconfiguration.dart content. It's a file I created manually because I don't have permission to create an Amplify project on AWS console

const amplifyConfig = ''' {
    "UserAgent": "aws-amplify-cli/2.0",
    "Version": "1.0",
    "auth": {
        "plugins": {
            "awsCognitoAuthPlugin": {
                "IdentityManager": {
                    "Default": {}
                },
                "CredentialsProvider": {
                    "CognitoIdentity": {
                        "Default": {
                            "PoolId": "us-west-2:xxxxxxxxx:userpool/us-west-2_xxxxxxx",
                            "Region": "us-west-2"
                        }
                    }
                },
                "CognitoUserPool": {
                    "Default": {
                        "PoolId": "us-west-2:xxxxxxxxx:userpool/us-west-2_xxxxxxx",
                        "AppClientId": "xxxxxxxxxxxxxxx",
                        "Region": "us-west-2"
                    }
                },
                "Auth": {
                    "Default": {
                        "authenticationFlowType": "CUSTOM_AUTH",
                        "usernameAttributes": [],
                        "signupAttributes": [],
                        "passwordProtectionSettings": {
                            "passwordPolicyMinLength": 6,
                            "passwordPolicyCharacters": []
                        }
                    }
                }
            }
        }
    }
}''';

Categories

Steps to Reproduce

  1. Answer NEW_PASSWORD_REQUIRED challenge by calling 
    await Amplify.Auth.confirmSignIn(
      confirmationValue: newPassword,
     );

Screenshots

No response

Platforms

Flutter Version

3.19.3

Amplify Flutter Version

amplify_auth_cognito: 1.8.0 amplify_flutter: 1.8.0

Deployment Method

Custom Pipeline

Schema

No response

NikaHsn commented 5 months ago

@JorgeAndresDiazz thanks for taking the time to raise this issue. we will look into this and get back to you.

JorgeAndresDiazz commented 5 months ago

Thank you @NikaHsn. For additional information, please take into account that the exception occurs even though new password request (2nd custom challenge "NEW_PASSWORD_REQUIRED") is requested first (before OTP CUSTOM CHALLENGE). I mean, if the following code is the only challenge the login flow has:

// NEW PASSWORD REQUIRED
      final isSetNewPassword = otpChallengeResult.nextStep.signInStep ==
          AuthSignInStep.confirmSignInWithNewPassword;
      if (isSetNewPassword) {
        const newPassword = 'abc1234'; // This is gotten from the user

        final newPasswordResult = await Amplify.Auth.confirmSignIn(
          confirmationValue: newPassword,
        );

I still get the same exception (NotAuthorizedServiceException "message": "Invalid session provided for the user.") when calling await Amplify.Auth.confirmSignIn.

I could replicate the same issue after using Amplify Authenticator package as well (https://ui.docs.amplify.aws/flutter/connected-components/authenticator ). I evaluated AuthenticatorStep.confirmSignInNewPassword and called state.confirmSignInNewPassword() method, which threw the exception

NikaHsn commented 5 months ago

@JorgeAndresDiazz thank you for providing these details. we will look into this issue and get back to you with any updates.

JorgeAndresDiazz commented 5 months ago

Hi @NikaHsn. Do we have any news regarding this issue?

Jordan-Nelson commented 5 months ago

Hi @JorgeAndresDiazz - I believe in response to AuthSignInStep.confirmSignInWithNewPassword you should invoke Amplify.Auth.confirmResetPassword() with the confirmation code that was sent to the user along with the new password and username.

I think this is a mistake in the documentation. Can you try Amplify.Auth.confirmResetPassword() and let me know if you face any issues?

JorgeAndresDiazz commented 5 months ago

Hey @Jordan-Nelson, thank you for replying

It's not possible to use Amplify.Auth.confirmResetPassword(...) since it expects a required String confirmationCode, which it's a value we don't have. Please take into account that for the OTP custom challenge (previous challenge from AuthSignInStep.confirmSignInWithNewPassword) we use a custom OTP generator in our lambda trigger, which I think does not relate to the confirmationCode expected by the Amplitude SDK

Jordan-Nelson commented 5 months ago

@JorgeAndresDiazz Thanks for the additional info. In the SRP sign in flow Cognito will send a confirmation code which the end user can input for use in confirmResetPassword(). This may not be the case with custom auth. I have reached out to Cognito to see what the expected response should be when using custom auth. I will let you know what I find.

Jordan-Nelson commented 4 months ago

@JorgeAndresDiazz - Cognito does not support NEW_PASSWORD_REQUIRED in the custom auth flow. I believe if you want to see this supported you can open a support case through the AWS support center. I am going to close this out since this doesn't appear to be an issue or limitation with Amplify, but instead a limitation with Cognito custom auth.