set_new_password_challenge() raises NotAuthorizedException for clients with secret

capless / warrant

Python library for using AWS Cognito. With support for SRP.

Apache License 2.0

468 stars 192 forks source link

set_new_password_challenge() raises NotAuthorizedException for clients with secret #73

Open dmder opened 6 years ago

dmder commented 6 years ago

https://github.com/capless/warrant/blob/60b9cc0f7ccd4a9a37dc93b1bf6bdc3705981149/warrant/aws_srp.py#L240 When I call set_new_password_challenge() for the Cognito client, which does have a client_secret, it fails with botocore.errorfactory.NotAuthorizedException: ... Unable to verify secret hash for client <client_id>. This is due to the fact that "SECRET_HASH" attribute is missing in challenge_response dictionary. After adding SECRET_HASH authentication flow succeedes.

J-Rojas commented 6 years ago

I can confirm this.

PR with a fix is here https://github.com/capless/warrant/pull/93