Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Cognito - Login with Custom Auth & SRP Bug

0

The documentation to use Custom Auth in addition to SRP Authentication as linked below https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow

says that : "If Amazon Cognito verifies the password, RespondToAuthChallenge invokes the DefineAuthChallenge Lambda trigger with a second session of challengeName: PASSWORD_VERIFIER and challengeResult: true."

This does not seem to be working. Is this a bug in Cognito?

Steps to reproduce

  1. Start the initiateAuth as below
{
    "AuthFlow": "CUSTOM_AUTH",
    "ClientId": "{{clientId}}",
    "AuthParameters": {
        "CHALLENGE_NAME": "SRP_A",
        "USERNAME": "{{email}}",
        "SRP_A": "{{srpAValue}}"
    }
}
  1. Respond to the Auth Challenge
ClientId: '{{clientId}}',
ChallengeName: 'PASSWORD_VERIFIER',
ChallengeResponses: {
    SECRET_HASH: "{{secretHash}}",
    USERNAME: "{{username}}"
    PASSWORD_CLAIM_SECRET_BLOCK: "{{PASSWORD_CLAIM_SECRET_BLOCK}}",
    PASSWORD_CLAIM_SIGNATURE: "{{PASSWORD_CLAIM_SIGNATURE}}",
    SRP_A: "{{SRP_A}}",
   TIMESTAMP: "{{TIMESTAMP}}"
}

Actual Behavior The response to step 4 is cognito issues token, Expected Behavior Cognito has to call the define Auth Challenge as defined in the docs.

Additional Info: I am logging the raw event in the Define Auth Challenge to check if Cognito actually calls the lambda function after password verification. But it does not and returns tokens to the user.

Previously, I had SMS MFA Enabled, even after disabling it, the behaviour remains the same.

Anyone with any info and help here is appreciated.

Kind Regards, SS

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
Amazon CognitoAWS Lambda
Language
English
asked a year ago310 views
1 Answer
-1

Thank you for providing detailed information about the issue you're experiencing with Amazon Cognito's custom authentication flow and SRP (Secure Remote Password) authentication. Based on the information you've provided and the expected behavior described in the documentation, it does appear that there might be a discrepancy between the documented behavior and what you're observing.

The expected behavior, as per the documentation, is that after Amazon Cognito verifies the password using SRP, it should invoke the DefineAuthChallenge Lambda trigger with a second session of challengeName: PASSWORD_VERIFIER and challengeResult: true. However, you're observing that Cognito is directly issuing tokens instead of calling the DefineAuthChallenge Lambda function.

This behavior is indeed unexpected and could potentially be a bug in the Cognito service. However, before concluding that it's definitely a bug, there are a few things you might want to consider or try:

  1. Double-check that your Lambda function for DefineAuthChallenge is correctly configured and associated with your Cognito User Pool.

  2. Ensure that the CUSTOM_AUTH flow is properly set up for your app client in the Cognito User Pool settings.

  3. Verify that there are no recent changes in your Cognito configuration that might have affected this behavior.

  4. Try creating a new User Pool and app client with the same configuration to see if the issue persists.

  5. Check if there are any error messages or unexpected entries in your CloudWatch logs related to the authentication flow or Lambda invocation.

If after these checks the issue still persists, it would be advisable to contact AWS Support. They can investigate further and confirm if this is indeed a bug in the Cognito service. When contacting support, provide them with the detailed steps to reproduce the issue that you've outlined, along with any relevant logs and configuration details.

It's worth noting that Amazon Cognito's advanced security features have been enhanced to cover custom authentication flows, so there might be some changes or updates in the authentication process that are not yet reflected in the documentation.

In the meantime, if you need to implement additional challenges after SRP authentication, you might need to explore alternative approaches or workarounds until this issue is resolved.
Sources
User pool authentication flow - Amazon Cognito
Adding threat detection to custom authentication flow with Amazon Cognito advanced security features | AWS Security Blog
Amazon Cognito enhances Advanced Security Features (ASF) to detect additional risks and to cover custom authentication flows - AWS

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content