Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Enabling MFA for interactive login, disable for noninteractive

0

Hi, I have one user pool and I enabled "Require MFA" for sign-in process. It work great for interactive process like signing to web app.

Beside that, my app have also REST API, where I implemented login endpoint. My code use boto3 to validate provided user credentials and return acceess/refresh tokens from AWS (using same userpool as for interactive process). Anyway, once I switch to "Require MFA", this strategy can't be used anymore, since also REST API access is now protected by MFA and I need to provide additional authentification (here, in noninteractive process, where some machine tries to reach API in the name of user).

Is there any way, how to solve it please? The ideal solution for me would be to have 2 different app clients, one with MFA enabled, and second disabled. But if I don't miss some detail, that's not possible, since MFA can be configured to userpool only. I found there are many lambda triggers involved in whole process, so maybe I can use those? Is it possible for some cases (like requesting tokens from REST API login endpoint) completely skip MFA?

Thank you for any tip.

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoMulti-factor Authentication
Language
English
asked 2 years ago596 views
3 Answers
0

Hello.

If you only have one user pool, I think you need to set MFA to optional.
As you know, Cognito's MFA is tied to the user pool, so I don't think it can be configured for each app client.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html

EXPERT
answered 2 years ago
AWS
EXPERT
reviewed 2 years ago
0

I appear to be missing context. You stated:

My code use boto3 to validate provided user credentials

I assume your login code does not have each user's password. Typically computer access uses assume-role and tokens that do not directly access a user's credentials. Can you share a tad more about what you are trying to do?

In my case I use AWS Identity Center which asks for MfA and then does an assume-role in boto3. The assume role knows what user logged in. I am not using Cognito. So in your case you have a different requirement.

answered 2 years ago
0

I assume your login code does not have each user's password.

You are right, there are no user passwords stored anywhere in app.

We need to provide REST API to users and arrange somehow, that they will see only the content relevant to them. So we have /login/ API endpoint, where user send own credentials, those are use together with client id/password and boto3.initiate_auth method to get tokens from cognito service, and those tokens are returned to user. Every other following request use received access_token in HTTP header. This is decoded in application, so we know who is accessing the resource and we can return data relevant to given person only.

Probably I confuse you by note about "...noninteractive process, where some machine tries to reach API..". I know, that some of the users will use it this way, so we need to find solution without any interactivity.

Thank you for you comment.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content