Open campbellborder opened 6 months ago
Hi @campbellborder thank you for opening this issue. I've been taking alook at this and I'm able to reproduce the same behavior as well. Im currently discussing with the Cognito team, mainly because in the documentation shown here, it seems that SOFTWARE_TOKEN_MFA is not an expected challengeName.
I will follow up soon with an update, but in the meantime, let me know if you have any questions.
Hi @campbellborder following up here. After discussing with the Cognito team, the issue here is that MFA is not supported when using passwordless authentication flows within a Custom Auth Flow, as MFA generation is dependent on the password verifier challenge being triggered. As an alternative, you can configure and add a custom challenge where you send you user an OTP, using Amazon Pinpoint for example - more on Pinpoint for OTP can be found tin the documentation here.
Let me know if you have any questions, and in the meantime we will mark this as a feature request for the Cognito team.
Hi @nadetastic, thanks for looking into this. My issue is that my custom auth flow is an OTP challenge, so doesn't make sense to use OTP as the MFA method as well. Is there any way to use MFA token apps as a custom auth flow? Otherwise will just have to wait for the feature request to be completed. Cheers!
Hi - any update on this?
Before opening, please confirm:
JavaScript Framework
Next.js
Amplify APIs
Not applicable
Amplify Version
v6
Amplify Categories
auth
Backend
Other
Environment information
Describe the bug
In short, I'm trying to use the SOFTWARE_TOKEN_MFA flow after successfully completing the CUSTOM_CHALLENGE flow. In my defineAuthChallenge trigger, once the custom challenge is successfully passed, I respond with challengeName = "SOFTWARE_TOKEN_MFA" and issueTokens = false. This successfully returns output.nextStep.signInStep (from auth.signIn) as "CONFIRM_SIGN_IN_WITH_TOTP_CODE", but when I use auth.confirmSignIn, it returns the error "CodeMismatchException - Invalid code or auth state for the user", even though the code is correct.
I'm using SST to launch my backend resources. I've set up password-less authentication (OTP) as described here: https://aws.amazon.com/blogs/mobile/implementing-passwordless-email-authentication-with-amazon-cognito/. I've enabled optional MFA (but I'm only letting users use software tokens, as they can also use their mobiles for OTP).
Expected behavior
I expect that providing the correct code at this stage would grant the user access to their account.
Reproduction steps
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response