bug: AdminInitiateAuth with incorrect password produces incorrect response that sdks cannot deserialize

[NateDimick]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Logging in with AdminInititateAuth with an incorrect password produces a response which is inconsistent with actual AWS Cognito, which includes a string array rather than just a string.

nate@laptop:~$ awslocal cognito-idp admin-initiate-auth --client-id uc3c6it7jgoou4rbin5if0mzb2 --user-pool-id us-east-1_19363269ceed466bbb21ea980b4c4417 --auth-flow ADMIN_USER_PASSWORD_AUTH --auth-parameters '{"USERNAME": "joe", "PASSWORD": "NotPasswordofjoe1!"}'

An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: ['Invalid password specified']

Furthermore, this response is formatted incorrectly and produces deserialization errors in the aws go sdk v2 (v1.35.1). One of the produced error messages is below:

operation error Cognito Identity Provider: AdminInitiateAuth, https response error StatusCode: 400, RequestID: 28f83435-e036-40c9-a628-ac3d9b080245, deserialization failed, failed to decode response body, json: cannot unmarshal array into Go struct field protocolErrorInfo.Message of type string

sdks in other languages were not tested.

Expected Behavior

AWS Cognito appears to always respond with a generic NotAuthorizedException and message when the password is incorrect but the user is found

nate@laptop:~$ aws cognito-idp admin-initiate-auth --client-id [redacted] --user-pool-id [redacted] --auth-flow ADMIN_USER_PASSWORD_AUTH --auth-parameters '{"USERNAME": "nate", "PASSWORD": "Notmypassword"}'

An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Incorrect username or password.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

version: '3.8'
services:
  localstack:
    image: localstack/localstack-pro:3.2.0
    environment:
      - REQUIRE_PRO=1
      - LOCALSTACK_API_KEY=${LOCALSTACK_API_KEY}
      - DNS_ADDRESS=127.0.0.1
      - LOCALSTACK_HOST=localhost.localstack.cloud
    ports:
      - "127.0.0.1:4566:4566"
      - "127.0.0.1:4510-4559:4510-4559"
      - "127.0.0.1:53:53"
      - "127.0.0.1:443:4566"
    volumes:
      - "${TMPDIR:-/tmp/localstack}:/var/lib/localstack:rw"

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

POOL_ID=$(awslocal cognito-idp create-user-pool --pool-name demo-pool | jq -r '.UserPool.Id')
CLIENT_ID=$(awslocal cognito-idp create-user-pool-client --user-pool-id $POOL_ID --client-name my-client --no-generate-secret --explicit-auth-flows ALLOW_ADMIN_USER_PASSWORD_AUTH | jq -r '.UserPoolClient.ClientId')
awslocal cognito-idp admin-create-user --user-pool-id $POOL_ID --username "demo-user"
awslocal cognito-idp admin-set-user-password --user-pool-id $POOL_ID --username "demo-user" --password "Demo-password1" --permanent
awslocal cognito-idp admin-initiate-auth --user-pool-id $POOL_ID --client-id $CLIENT_ID --auth-flow ADMIN_USER_PASSWORD_AUTH --auth-parameters '{"USERNAME": "demo-user", "PASSWORD": "incorrect-password"}'

Environment

- OS: Ubuntu 20.04
- LocalStack: 3.2.0

Anything else?

No response

[giograno]

Hi @NateDimick, thanks for raising the issue. We released a fix in the latest Docker image. Please let us know if you find any other issues.