search

capless / warrant

Python library for using AWS Cognito. With support for SRP.
Apache License 2.0
468 stars 192 forks source link

An error occurred calling InitiateAuth operation: Unable to verify secret hash for client #36

Closed mtzfactory closed 6 years ago

mtzfactory commented 7 years ago

Hi,

I'm trying to use the package using the example you provide... but it doen't work, what I'm doing wrong?

from warrant import Cognito

POOL_ID = 'eu-central-1_J1HZ86xLX'
APP_ID = '23o6vbtasvacvd7f567go7svfk'
USERNAME = 'user1'
PASSWORD = '@perw1fg'
ACCESS_KEY = 'AKIAI5WPBLQZAQFPLGGQ'
SECRET_KEY = '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'

u = Cognito(POOL_ID, APP_ID, username=USERNAME, user_pool_region='eu-central-1')#, access_key=ACCESS_KEY, secret_key=SECRET_KEY)
u.authenticate(password=PASSWORD)

The settings are fake ;-)

The error message is the following:

Traceback (most recent call last):
  File "./warrant-test.py", line 20, in <module>
    tokens = aws.authenticate_user()
  File "/usr/local/lib/python2.7/site-packages/warrant/aws_srp.py", line 187, in authenticate_user
    ClientId=self.client_id
  File "/Users/m2tz/Library/Python/2.7/lib/python/site-packages/botocore/client.py", line 253, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/m2tz/Library/Python/2.7/lib/python/site-packages/botocore/client.py", line 557, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Unable to verify secret hash for client 23o6vbtasvacvd7f567go7svfk
armicron commented 7 years ago

Maybe I missed something, but 3 months ago it was required that

When creating the App, the generate client secret box must be unchecked because the JavaScript SDK doesn't support apps that have a client secret.

p.s. aws_srp.py module was ported from Amazon Cognito Identity SDK for JavaScript, so this requirement (client secret box must be unchecked) should apply to warrant too

appsassociates-dev commented 7 years ago

@armicron : is it fixed ? can you please tell me more on how to fix it ? thank you.

armicron commented 7 years ago

@appsassociates-dev "When creating the App, the generate client secret box must be unchecked"

jonasao commented 7 years ago

Are there any plans to support AWS Client apps with generated secrets?

bjinwright commented 7 years ago

@jonasao I think that should be a separate issue.

jonasao commented 7 years ago

@bjinwright Added as issue #44

bjinwright commented 6 years ago

@armicron Can we close this issue.

armicron commented 6 years ago

@bjinwright yes, it's a duplicate of 44.

RaydelMiranda commented 6 years ago

Please, update the documentation, it would be nice know about this at the "Getting started" stage.

koorukuroo commented 6 years ago

Yes,

Client secret box must be unchecked when you create a user pool

Due to this problem, I've been studying a lot, but this must be reflected in the README page.

kevbo commented 6 years ago

Due to this problem, I've been studying a lot, but this must be reflected in the README page.

Totally agreed. I had to drop print statements all around django-warrant as well as warrant to figure out what was going wrong with my implementation.

kushan-gunasekera commented 5 years ago

Try this answer which I posted in stackoverflow. It mention how to create SECRET_HASH in python without uncheck Generate client secret when creating an app.

solution - https://stackoverflow.com/questions/37438879/unable-to-verify-secret-hash-for-client-in-amazon-cognito-userpools/56581239#56581239