Open 3oris opened 6 years ago
I'm new to Cognito. I am experiencing a similar problem when calling
aws = AWSSRP(
username='xxxx',
password='xxxx',
pool_id='xxx',
client_id='xxx',
client=client,
client_secret='xxx'
)
tokens = aws.authenticate_user()
Error:
File "warrant/venv/lib/python3.6/site-packages/warrant/aws_srp.py", line 213, in authenticate_user
ChallengeResponses=challenge_response)
File "warrant/venv/lib/python3.6/site-packages/botocore/client.py", line 320, in _api_call
return self._make_api_call(operation_name, kwargs)
File "warrant/venv/lib/python3.6/site-packages/botocore/client.py", line 623, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client xxxxxxxx
When I try the same code on a new app client which does not have a secret, the code works fine.
Hi, 3oris do you have any updates
The current implementation of
process_challenge
doesn't reliably authenticate when logging in via e-mail address using aclient_secret
. It will yield a:"An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client"
As you can see in the official AWS java SDK, the right way to respond to an auth challenge request (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2914 ) is to use the internal user name from the challenge paramteters and use it for secret hash calculation (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2955 ) as well as username in the
srpAuthResponse
(https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2964 )Please find attached the pull request that fixes this issue. https://github.com/capless/warrant/pull/124