Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRP doesn't authenticate reliably with client secret #125

Open
3oris opened this issue Jul 12, 2018 · 2 comments · May be fixed by #124
Open

SRP doesn't authenticate reliably with client secret #125

3oris opened this issue Jul 12, 2018 · 2 comments · May be fixed by #124

Comments

@3oris
Copy link

3oris commented Jul 12, 2018
edited

The current implementation of process_challenge doesn't reliably authenticate when logging in via e-mail address using a client_secret. It will yield a:

"An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client"

As you can see in the official AWS java SDK, the right way to respond to an auth challenge request (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2914 ) is to use the internal user name from the challenge paramteters and use it for secret hash calculation (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2955 ) as well as username in the srpAuthResponse (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2964 )

Please find attached the pull request that fixes this issue. #124
@3oris 3oris linked a pull request Jul 12, 2018 that will close this issue
Open
@expertcoder
Copy link

I'm new to Cognito.
I am experiencing a similar problem when calling

aws = AWSSRP(
    username='xxxx',
    password='xxxx',
    pool_id='xxx',
    client_id='xxx',
    client=client,
    client_secret='xxx'
)
tokens = aws.authenticate_user()

Error:

File "warrant/venv/lib/python3.6/site-packages/warrant/aws_srp.py", line 213, in authenticate_user
    ChallengeResponses=challenge_response)
  File "warrant/venv/lib/python3.6/site-packages/botocore/client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "warrant/venv/lib/python3.6/site-packages/botocore/client.py", line 623, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client xxxxxxxx

When I try the same code on a new app client which does not have a secret, the code works fine.

@VaghinakSTDev
Copy link

Hi, 3oris do you have any updates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix SRP auth response moia-dev/warrant
3 participants
@3oris @expertcoder @VaghinakSTDev