search

capless / warrant

Python library for using AWS Cognito. With support for SRP.
Apache License 2.0
469 stars 192 forks source link

SRP doesn't authenticate reliably with client secret #125

Open 3oris opened 6 years ago

3oris commented 6 years ago

The current implementation of process_challenge doesn't reliably authenticate when logging in via e-mail address using a client_secret. It will yield a:

"An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client"

As you can see in the official AWS java SDK, the right way to respond to an auth challenge request (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2914 ) is to use the internal user name from the challenge paramteters and use it for secret hash calculation (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2955 ) as well as username in the srpAuthResponse (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2964 )

Please find attached the pull request that fixes this issue. https://github.com/capless/warrant/pull/124

expertcoder commented 5 years ago

I'm new to Cognito. I am experiencing a similar problem when calling

aws = AWSSRP(
    username='xxxx',
    password='xxxx',
    pool_id='xxx',
    client_id='xxx',
    client=client,
    client_secret='xxx'
)
tokens = aws.authenticate_user()

Error:

File "warrant/venv/lib/python3.6/site-packages/warrant/aws_srp.py", line 213, in authenticate_user
    ChallengeResponses=challenge_response)
  File "warrant/venv/lib/python3.6/site-packages/botocore/client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "warrant/venv/lib/python3.6/site-packages/botocore/client.py", line 623, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client xxxxxxxx

When I try the same code on a new app client which does not have a secret, the code works fine.

VaghinakSTDev commented 5 years ago

Hi, 3oris do you have any updates