Signin with Custom Auth With SRP issues token without triggering the CUSTOM_CHALLENGE

[AnirudhWinimy]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin

Amplify Categories

Authentication

Gradle script dependencies

    implementation "com.amplifyframework:core:2.2.2"
    implementation "com.amplifyframework:aws-auth-cognito:2.2.2"

Environment information

------------------------------------------------------------
Gradle 7.3.3
------------------------------------------------------------

Build time:   2021-12-22 12:37:54 UTC
Revision:     6f556c80f945dc54b50e0be633da6c62dbe8dc71

Kotlin:       1.5.31
Groovy:       3.0.9
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          11.0.13 (Oracle Corporation 11.0.13+10-LTS-370)
OS:           Windows 10 10.0 amd64

Please include any relevant guides or documentation you're referencing

https://docs.amplify.aws/lib/auth/signin_with_custom_flow/q/platform/android/#custom-auth-flow-with-srp

Describe the bug

In version 2 (sdk 2.2.2) of amplify sdk.
I am Integrating with a existing user pool using CUSTOM_AUTH authentication flow.

When calling the signin flow using "CUSTOM_AUTH_WITH_SRP" AuthFlowType, the result's nextStep.signInStep of custom signin is AuthSignInStep.DONE and token gets issued immediately.

However in the define auth lambda the returned response has event.response.issueTokens = false and event.response.challengeName = 'PASSWORD_VERIFIER' returned which should trigger the next step of the CUSTOM_AUTHENTICATION challenge instead of issuing the tokens.

Thereby the login essentially just skips the entire CUSTOM_CHALLENGE verification.

However this is not the case using the javascript amplify sdk or the android SDK V1, which does proceed with the CUSTOM_CHALLENGE verification.

This also seems like a security flaw with Custom Authentication, which allows users to bypass custom authentication altogether when using SDK V2.

Reproduction steps (if applicable)

1. Configure amplify with CUSTOM_AUTH with the lambda triggers (for define/create and verify auth triggers) from examples provided
2. Login to an existing user using Custom Auth Flow with SRP and Sign in next steps as described in the official links shared
3. Signin immediately succeeds with nextStep.signInStep having AuthSignInStep.DONE instead of AuthSignInStep.CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE to confirm the auth challenge.

Code Snippet

val options = AWSCognitoAuthSignInOptions.builder()
            .authFlowType(AuthFlowType.CUSTOM_AUTH_WITH_SRP)
            .build()
try {
      Amplify.Auth.signIn(
          "username",
          "password",
          options,
          { result ->
              val nextStep  = result.nextStep
              when(nextStep.signInStep){
                  AuthSignInStep.CONFIRM_SIGN_IN_WITH_SMS_MFA_CODE -> {
                      Log.i("AuthQuickstart", "SMS code sent to ${nextStep.codeDeliveryDetails?.destination}")
                      Log.i("AuthQuickstart", "Additional Info ${nextStep.additionalInfo}")
                      // Prompt the user to enter the SMS MFA code they received
                      // Then invoke `confirmSignIn` api with the code
                  }
                  AuthSignInStep.CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE -> {
                      Log.i("AuthQuickstart","Custom challenge, additional info: ${nextStep.additionalInfo}")
                      // Prompt the user to enter custom challenge answer
                      // Then invoke `confirmSignIn` api with the answer
                  }
                  AuthSignInStep.CONFIRM_SIGN_IN_WITH_NEW_PASSWORD -> {
                      Log.i("AuthQuickstart", "Sign in with new password, additional info: ${nextStep.additionalInfo}")
                      // Prompt the user to enter a new password
                      // Then invoke `confirmSignIn` api with new password
                  }
                  AuthSignInStep.RESET_PASSWORD -> {
                      Log.i("AuthQuickstart", "Reset password, additional info: ${nextStep.additionalInfo}")
                      // User needs to reset their password.
                      // Invoke `resetPassword` api to start the reset password
                      // flow, and once reset password flow completes, invoke
                      // `signIn` api to trigger signIn flow again.
                  }
                  AuthSignInStep.CONFIRM_SIGN_UP -> {
                      Log.i("AuthQuickstart", "Confirm signup, additional info: ${nextStep.additionalInfo}")
                      // User was not confirmed during the signup process.
                      // Invoke `confirmSignUp` api to confirm the user if
                      // they have the confirmation code. If they do not have the
                      // confirmation code, invoke `resendSignUpCode` to send the
                      // code again.
                      // After the user is confirmed, invoke the `signIn` api again.
                  }
                  AuthSignInStep.DONE -> {
                      Log.i("AuthQuickstart", "SignIn complete")
                      // User has successfully signed in to the app
                  }
              }

          }
      ) { error ->
          Log.e("AuthQuickstart", "SignIn failed: $error")
      }
} catch (error: Exception) {
    Log.e("AuthQuickstart", "Unexpected error occurred: $error")
}

Log output

// Put your logs below this line

amplifyconfiguration.json

{
    "UserAgent": "aws-amplify-cli/2.0",
    "Version": "1.0",
    "auth": {
        "plugins": {
            "awsCognitoAuthPlugin": {
                "UserAgent": "aws-amplify-cli/0.1.0",
                "Version": "0.1.0",
                "IdentityManager": {
                    "Default": {}
                },
                "CognitoUserPool": {
                    "Default": {
                        "PoolId": "<redacted>",
                        "AppClientId": "<redacted>",
                        "Region": "ap-southeast-1"
                    }
                },
                "Auth": {
                    "Default": {
                        "OAuth": {
                            "WebDomain": "dev-<custom-dm>-1.auth.ap-southeast-1.amazoncognito.com",
                            "AppClientId": "<redacted>",
                            "SignInRedirectURI": "<custom>://,<custom>://",
                            "SignOutRedirectURI": "<custom>,
                            "Scopes": [
                                "aws.cognito.signin.user.admin",
                                "email",
                                "openid",
                                "phone",
                                "profile"
                            ]
                        },
                        "authenticationFlowType": "CUSTOM_AUTH",
                        "socialProviders": [],
                        "usernameAttributes": [
                            "EMAIL"
                        ],
                        "signupAttributes": [],
                        "passwordProtectionSettings": {
                            "passwordPolicyMinLength": 8,
                            "passwordPolicyCharacters": [
                                "REQUIRES_LOWERCASE",
                                "REQUIRES_UPPERCASE",
                                "REQUIRES_NUMBERS",
                                "REQUIRES_SYMBOLS"
                            ]
                        },
                        "mfaConfiguration": "OFF",
                        "mfaTypes": [],
                        "verificationMechanisms": [
                            "EMAIL",
                            "PHONE_NUMBER"
                        ]
                    }
                }
            }
        }
    }
}

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response

[tjleing]

Hello,

Thank you for reporting an issue with the custom authentication workflow in Amplify Android library version 2. We thank you for your patience while we investigated. Your feedback led us to identify an issue where signing in with custom authentication with SRP failed to trigger the custom challenge in version 2. We have addressed this issue in version 2.4.0. Please update to this version and confirm that this resolves the issue.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[jlarru93]

i have the same error and i used
//Amplify
implementation 'com.amplifyframework:core-kotlin:2.8.2'
implementation 'com.amplifyframework:aws-api:2.8.2'
implementation 'com.amplifyframework:aws-auth-cognito:2.8.2'

i implement the next way

suspend fun confirmChallenge(code: String) {
Amplify.Auth.confirmSignIn(code)
}

but i when execute that code amplify dont response anything

[mattcreaser]

Hi @jlarru93. Your example doesn't show you handling the return value of confirmSignIn - I'm not sure if that was just omitted.

We recently made a change to the confirmSignIn state machine, so I would recommend retrying with version 2.11.0, and if you are still seeing a problem then please open a new GitHub issue with a detailed description. Thanks!