refresh token with MFA optional on user not opted in to MFA

[ak37165]

I have a user pool with MFA set as optional. Remembering devices is set to always and that is used to suppress MFA on remembered devices. I am using it via the API through the .Net SDK without the extension library yet: will the following be possible to solve using the extension library?

The first issue is how to get deviceKey for users who do not have MFA enabled? With MFA enabled, and when finally getting the tokens (after MFA), the response includes new device metadata with the device key.

However, if I have a user without MFA enabled, and use the USER_PASSWORD flow, I get the tokens back without a device key. NewDeviceMetadata is null.

Using this refresh token results in error "invalid refresh token" (likely because there is no device key).

So my question is that if I start from the .Net client with USER_PASSWORD flow, how do I get the device key for users who do not opt in to MFA?

The second issue is: With .Net SDK, how can I compute the device secret, salt, and password verifier needed to call ConfirmDevice, because it seems without that, the device will not be remembered and I cannot use the refresh token.

(As an aside, I was able to use the refresh token successfully if turn off device tracking, but then MFA cannot be suppressed on previously used devices.)

[ashishdhingra]

Hi @ak37165,

Please refer issue #44 and let me know if the comments there help for your scenario. If yes, kindly me know if this issue could be closed.

Thanks, Ashish

[ak37165]

The major difference between that issue and this is that in #44, the very first step does return a device key. While here, if MFA is optional, for user without MFA enabled, in the USER_PASSWORD flow, I get the tokens back without a device key.

So the comments on that other issue do not help with the primary concern in this this issue.

(There was a secondary concern: how to compute the device secret, salt, and password verifier needed to call ConfirmDevice, and that is likely answered with the example code in that other issue. One can use Amazon.Extensions.CognitoAuthentication.AuthenticationHelper and then the following code: `var authenticationHelper = new AuthenticationHelper();

    _settings.DeviceVerifier = authenticationHelper.GenerateHashDevice(newDeviceInfo.GroupKey, newDeviceInfo.Key);
    _settings.Save();
    _settings.Reload();

    var confirmDeviceRequest = new ConfirmDeviceRequest
    {
        DeviceKey = newDeviceInfo.Key,
        AccessToken = credentials.UserPoolAccessToken,
        DeviceName = newDeviceInfo.Name,
        DeviceSecretVerifierConfig = new DeviceSecretVerifierConfigType()
        {
            PasswordVerifier = Convert.ToBase64String(authenticationHelper.GetVerifierBytes()),
            Salt = Convert.ToBase64String(authenticationHelper.GetSaltBytes())
        }
    };`

However, the primary concern remains open.

[ashishdhingra]

Hi @ak37165,

My apologies for replying late. Looks like for 1st scenario where without device key the refresh token is invalid when remember devices is on, its a known issue also mentioned in https://github.com/aws/aws-aspnet-cognito-identity-provider/issues/76#issuecomment-470723245. I'm not sure if this is AWS Cognito service level bug. I will convert this issue to bug so that developer can further look into it.

Thanks, Ashish

[ashishdhingra]

Hi @ak37165,

Could you please check if the issue is resolved in Amazon.Extensions.CognitoAuthentication 2.0.3? There were some device related fixes implemented in the release.

Thanks, Ashish

[github-actions[bot]]

This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.