I'd like to configure custom authentication flow with AWS Cognito so I used this and this instructions to do this. Previously, I configured password authentication with a possibility to specify a user email or phone number as a username with sending confirmation codes via custom sender triggers and it worked fine. But then after adding custom authentication triggers I realized, that there is no CreateAuthChallenge
call - only DefineAuthChallenge
. So what I have now:
- I call
InitiateAuth
with the following body:
{
"AuthFlow": "CUSTOM_AUTH",
"ClientId": "{{client_id}}",
"AuthParameters": {
"USERNAME": "{{username}}",
"SECRET_HASH": "{{secret_hash}}"
}
}
- The response of this call is:
{
"ChallengeName": "MY_AUTH",
"ChallengeParameters": {
"USERNAME": "59edb46e-...-8f74a7084057"
},
"Session": "AYABeC...jA_TyA"
}
- At the same time in the logs I see only one lambda call with the following event as an argument:
{
"version": "1",
"region": "me-south-1",
"userPoolId": "me-south-1_...",
"userName": "59edb46e-...-8f74a7084057",
"callerContext": {
"awsSdkVersion": "aws-sdk-unknown-unknown",
"clientId": "44v...bp"
},
"triggerSource": "DefineAuthChallenge_Authentication",
"request": {
"userAttributes": {
"sub": "59edb46e-...-8f74a7084057",
"cognito:email_alias": "devops@example.com",
"cognito:user_status": "CONFIRMED",
"email_verified": "true",
"email": "devops@example.com"
},
"session": [],
"userNotFound": false
},
"response": {
"challengeName": null,
"issueTokens": null,
"failAuthentication": null
}
}
According to the docs right after this event I should see the event for CreateAuthChallenge
trigger but I see nothing.
The trigger that is called for those events has the following code:
import json
import requests
def handler(event, context):
print('### EVENT ###')
print(json.dumps(event))
source = event.get("triggerSource", "unknown")
sessions = event.get("request", {}).get("session", [])
if source == "DefineAuthChallenge_Authentication":
event["response"]["issueTokens"] = False
event["response"]["failAuthentication"] = True
if len(sessions) == 0:
event["response"]["issueTokens"] = False
event["response"]["challengeName"] = "MY_AUTH"
event["response"]["failAuthentication"] = False
print(json.dumps(event))
return event
if len(sessions) == 1 and sessions[0].get("challengeName", "") == "CUSTOM_CHALLENGE" and sessions[0].get("challengeResult", False) and sessions[0].get("challengeMetadata", "") == "MY_AUTH":
event["response"]["issueTokens"] = True
event["response"]["failAuthentication"] = False
print(json.dumps(event))
return event
print("unexpected sessions sequence: ", sessions)
return event
if source == "VerifyAuthChallengeResponse_Authentication":
event["response"]["answerCorrect"] = False
return event
print("unexpected triggerSource: ", source)
return event
Please advise what I can do to make Cognito calling CreateAuthChallenge
trigger to pass public and private data according to the docs.
Thanks!