Signin with Custom Auth With SRP issues token without triggering the CUSTOM_CHALLENGE #2331
Closed
1 task done
Labels
auth
Related to the Auth category/plugins
pending-response
Issue is pending response from the issue requestor
Before opening, please confirm:
Language and Async Model
Kotlin
Amplify Categories
Authentication
Gradle script dependencies
Environment information
Please include any relevant guides or documentation you're referencing
https://docs.amplify.aws/lib/auth/signin_with_custom_flow/q/platform/android/#custom-auth-flow-with-srp
Describe the bug
In version 2 (sdk 2.2.2) of amplify sdk.
I am Integrating with a existing user pool using CUSTOM_AUTH authentication flow.
When calling the signin flow using "CUSTOM_AUTH_WITH_SRP" AuthFlowType, the result's
nextStep.signInStep
of custom signin isAuthSignInStep.DONE
and token gets issued immediately.However in the define auth lambda the returned response has
event.response.issueTokens = false
andevent.response.challengeName = 'PASSWORD_VERIFIER'
returned which should trigger the next step of the CUSTOM_AUTHENTICATION challenge instead of issuing the tokens.Thereby the login essentially just skips the entire CUSTOM_CHALLENGE verification.
However this is not the case using the javascript amplify sdk or the android SDK V1, which does proceed with the CUSTOM_CHALLENGE verification.
This also seems like a security flaw with Custom Authentication, which allows users to bypass custom authentication altogether when using SDK V2.
Reproduction steps (if applicable)
nextStep.signInStep
havingAuthSignInStep.DONE
instead ofAuthSignInStep.CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE
to confirm the auth challenge.Code Snippet
Log output
amplifyconfiguration.json
GraphQL Schema
Additional information and screenshots
No response
The text was updated successfully, but these errors were encountered: