Cognito User Pools: Receiving Expired Session During CUSTOM_AUTH flow


I have setup my lambda triggers for define auth challenge, create auth challenge, and verify auth challenge. I am able to successfully get through the PASSWORD_VERIFIER challenge and issue my custom challenge. However, as soon as I try to respond to newly issued custom challenge with AdminRespondToAuth, I get the following error:

NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the AdminRespondToAuthChallenge operation: Invalid session for the user.

I am sending back the session token from the response I received after calling AdminRespondToAuthChallenge during the PASSWORD_VERIFIER challenge. I've checked the logs for my lambdas, but it looks like it's not even hitting any of them



Firstly, in regards to the Session String, it is an encrypted session received by the client in the previous step that the client must pass back as-is. The session contains state information about the current authentication. It cannot be replayed and it expires after 3 ~ 15 minutes. Session's expiration time can be modified through app clients AuthSessionValidity [1] setting.

Secondly, in regards to the error faced, one way this error can happen is if two consecutive API calls were being made with the same session in your application code. Please do remember that the session key can be used only once. If RespondToAuthChallenge call is performed using the same session key again, you will get the above error. Hence, I would recommend checking the flow of your API calls in your application code. Also, checking Cloudtrail logs in your AWS account can also help in confirming if there are any multiple RespondToAuthChallenge API executions taking place.

Additionally, the general flow of API and Lambda invocation in terms of custom challenges should look like below -

  1. InitiateAuth Api call with CUSTOM_AUTH authflow will invoke the DefineAuth trigger.
  2. DefineAuth trigger will then invoke CreateAuth trigger.
  3. CreateAuth trigger sends the response to DefineAuth trigger, which then invokes verifyAuth trigger.
  4. VerifyAuth trigger confirms the challenges and send the response to DefineAuth trigger, this trigger then generates token or prints error based on the response received.

Thirdly, if above suggestion doesn't help, we will need to investigate your Lambda (considering you mentioned that it's not even hitting them - this would require checking the configurations of Lambda itself first to make sure that enough permissions [1] are provided for Cognito to be able to invoke them), the flow of your API calls, and test CLI vs application behavior to isolate if the issue exists in just the application end, or if it is consistent everywhere else. Also, if required capture the service request IDs (can be procured using HAR logs [2] for your app or CLI --debug [3] capabilities) for those failing Cognito API calls (RespondToAuthChallenge) to check for the issue.

However, please do not post any any of the above sensitive information about your accounts or it's resources over this re:Post channel since this is a public platform. Therefore, I would like to request you to log a support case directly with our Premium Support team if you require any further assistance.

As always, feel free to reach back out with any further questions or concerns in the meantime!


[1] UpdateUserPoolClient - Request Parameters -

Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Type: Integer Valid Range: Minimum value of 3. Maximum value of 15.



profile pictureAWS
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。