-
Notifications
You must be signed in to change notification settings - Fork 455
Custom Auth flow throwing error #228
Comments
I updated my sjcl, amazon-cognito-identity.min.js, and aws-cognito-sdk.min.js just in case, but it made no difference |
FYI this must be something with my lambda, b/c when I use jeff's example verbatim it does work. Trying to work from his implementation forwards to mine to find root cause. |
So when I try to remove the password verifier stage from the define and create lambdas from Jeff's code I get the same error as I was originally experiencing. Here are the exact lambdas define exports.handler = function(event, context) {
if (event.request.session.length == 1 && event.request.session[0].challengeName == 'SRP_A') {
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = 'CUSTOM_CHALLENGE';
} else if (event.request.session.length == 2 && event.request.session[1].challengeName == 'CUSTOM_CHALLENGE' && event.request.session[1].challengeResult == true) {
event.response.issueTokens = true;
event.response.failAuthentication = false;
} else {
event.response.issueTokens = false;
event.response.failAuthentication = true;
}
context.done(null, event);
} create exports.handler = function(event, context) {
if (event.request.session.length == 1 && event.request.challengeName == 'CUSTOM_CHALLENGE') {
event.response.publicChallengeParameters = {};
event.response.publicChallengeParameters.captchaUrl = 'url/123.jpg';
event.response.privateChallengeParameters = {};
event.response.privateChallengeParameters.answer = '5';
event.response.challengeMetadata = 'CAPTCHA_CHALLENGE';
}
context.done(null, event);
} verify exports.handler = function(event, context) {
if (event.request.privateChallengeParameters.answer == event.request.challengeAnswer) {
event.response.answerCorrect = true;
} else {
event.response.answerCorrect = false;
}
context.done(null, event);
} |
Is there a hard dependency in amazon-cognito-identity-js of all custom auth flows including PASSWORD_VERIFIER as the second step; this seems to be the problem? |
This might be my answer
|
The question now, is there a way to perform a non-srp custom authentication flow using amazon-cognito-identity-js sdk, or do I need to use the APIs instead? |
Yes, if you want to do SRP as part of the authentication flow, the limitation is that you need to start with SRP and add custom challenges. You should be able to achieve a passwordless flow by generating the code in lambda and delivering it by SNS and verifying it in the corresponding lambda functions. Basically this SDK just helps with the BigInteger SRP math. Calling the specific APIs from the Cognito client should be straightforward. If there's an interest in providing more functionality, we can include the APIs in this SDK as well. |
@itrestian thank you for the response. In our case you can imagine that we want to do captcha only authentication (that's not what we're doing, but for flow purposes it's suitably analogous). I'd like to call Specifically in our case the verify auth challenge lambda needs the value of a cookie in the user's browser and the username to perform this particular authentication scenario. If I roll it myself the challenge is that it's not integrated into the SDK and creates confusion for other developers going forward. (session, local storage, etc to say the least) It seems completely reasonable that I should be able to do a totally custom srpless authentication using the SDK. Does that make sense, can you explain how I do that? |
Yes, I agree that it makes sense to have it integrated for the reasons you mentioned (local storage, session etc) and we will take that on. In the meanwhile our team will reach out to you with an example of passwordless authentication. |
Appreciated. |
Struggling with the same issue. Can the example for handling passwordless login be shared here? |
@itrestian Can you please provide an example of a passwordless server-side authentication for the rest of us that want to implement it? |
There is an example in Tim Hunt's re:invent presentation (he is the last presenter): |
@itrestian , is Tim using this sdk or the sdk for browser (docs here). Screenshot from YouTube video seems to indicate to me the latter: In this SDK, it seems that the challenge is hard-coded to SRP_A: |
He is using the aws sdk for browser that you pointed to. The initiateAuth and respondToAuthChallenge APIs are defined there and in his example are basically used to pass parameters. We could provide wrappers for those methods in this SDK for better integration. |
@itrestian , what's your recommendation? Would there be issues if we used the Cognito SDK for everything except |
Don't think there would be any issue, the Cognito SDK is just providing the SRP protocol math, most of the other functions are just wrappers against the Amazon-SDK methods. And one can integrate the tokens provided by respondToAuthChallenge into the session in the Cognito SDK. |
So the options are as follows: cognitoUser.signInUserSession = cognitoUser.getCognitoUserSession(dataAuthenticate.AuthenticationResult); (2) We can provide wrappers in this SDK in CognitoUser around initiateAuth and respondToAuthChallenge (also a custom challenge callback) that in case tokens are obtained, a session is generated. I can make this change if necessary. Any other suggestions are appreciated. |
@itrestian , |
+1 |
The wrapper for initiateAuth has been added. There was already a wrapper for respondTuAuthChallenge if the challenge is a custom challenge. |
does anyone have a working example of this? |
While trying to follow Jeff Barr's blog post on using custom authentication I get this error. I'm actually trying to execute a passwordless flow, but even if I send the password along it still produces the same error.
My authenticate method looks like this
My define auth challenge
My create auth challenge
According to cloudwatch my verify auth challenge is never invoked
The text was updated successfully, but these errors were encountered: