search

aws / aws-sdk-js

AWS SDK for JavaScript in the browser and Node.js
https://aws.amazon.com/developer/language/javascript/
Apache License 2.0
7.57k stars 1.55k forks source link

Way to verify username and password of user in aws cognito using adminInitiateAuth() method #4621

Open chintu11 opened 1 year ago

chintu11 commented 1 year ago

Requirement: Below code is having 2 functions. 1st verify the username and password of user and if it is true it trigger OTP in SMS(Default behavior of AWS as 2 factor authentication is enabled). But we do not want OTP in SMS. We want OTP in Email with custom template, so implemented 2nd function with AuthFlow: 'CUSTOM_AUTH'(and 2nd method works as expected). We do not want OTP to be triggered in SMS(But also can not disable 2 factor auth because it is used in other use cases). Also, only need solution using aws-sdk. There are ways using amplify and other library but it is not useful in case of App client secret is there.

//verify username,password and send code in sms
response0 = await cognitoIdentityServiceProvider.adminInitiateAuth({
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
    ClientId: tenant.cognitoClientId,
    UserPoolId: tenant.cognitoUserPool,
    AuthParameters: {
        SECRET_HASH: crypto.createHmac('SHA256', tenant.cognitoClientSecret).update(username + tenant.cognitoClientId).digest('base64'),
        USERNAME: username,
        PASSWORD: password
    }
}).promise();

// send code to email using custom auth flow 
response1 = await cognitoIdentityServiceProvider.adminInitiateAuth({
    AuthFlow: 'CUSTOM_AUTH',
    ClientId: tenant.cognitoClientId,
    UserPoolId: tenant.cognitoUserPool,
    AuthParameters: {
        SECRET_HASH: crypto.createHmac('SHA256', tenant.cognitoClientSecret).update(username + tenant.cognitoClientId).digest('base64'),
        USERNAME: username,
        PASSWORD: tenantId + secrets.PASSWORD_SECRET
    }
}).promise();

Need solution where we can check username password using AuthFlow: 'CUSTOM_AUTH'(Can change lambda triggers) or any other way where OTP should not be triggered and able to check username and password correctly.

ashishdhingra commented 3 months ago

Transferred issue to AWS SDK for JS repo for initial triage. Most likely this is a Q&A discussion.

aBurmeseDev commented 2 months ago

Hi there - apologies for the long wait.

Your case is unique and very specific which is why I reached out to service team to get more insights from them. I'll post update as soon as I hear back.

P127469405