Comments (7)
@efimenkop Thanks for your reply. Please advise if it would be possible for you to test the extracted code for your scenario and if it works, may be submit a PR to refactor existing code as contribution.
from aws-sdk-net-extensions-cognito.
Hi @efimenkop,
Good morning.
Thanks for posting guidance question.
For CognitoUser. StartWithSrpAuthAsync(), the logic seems to automatically create RespondToAuthChallengeRequest
and responding to auth challenge. And you are right, for this scenarios, the library calculates the values for properties PASSWORD_CLAIM_SECRET_BLOCK
and PASSWORD_CLAIM_SIGNATURE
internally.
For your case, you could take some cue from CreateSrpPasswordVerifierAuthRequest on how the PASSWORD_CLAIM_SECRET_BLOCK
and PASSWORD_CLAIM_SIGNATURE
are calculated.
Thanks,
Ashish
from aws-sdk-net-extensions-cognito.
Hello, @ashishdhingra!
Maybe it worth making CreateSrpPasswordVerifierAuthRequest
public (or expose the logic for creating PASSWORD_CLAIM_SECRET_BLOCK
and PASSWORD_CLAIM_SIGNATURE
in some other way)?
Otherwise I have to copy-paste big piece of library's logic.
from aws-sdk-net-extensions-cognito.
This issue has not recieved a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.
from aws-sdk-net-extensions-cognito.
⚠️ COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.
from aws-sdk-net-extensions-cognito.
This should not be closed @efimenkop. It is still a problem to implement Custom Flow with SRP. Even copy pasting a lot of the code still gives an error: Amazon.CognitoIdentityProvider.Model.NotAuthorizedException: "Incorrect username or password".
After 6 hours of debugging I can't find any mistakes. SRP normal flow is working as expected, custom + SRP is not.
It funny because it is even one of the scenarios described in the official documentation:
But the SDK fails to use SRP on custom authentication flows.
I get:
from aws-sdk-net-extensions-cognito.
I came here looking for a .NET solution to integrate the email MFA I setup from this guide
Which is very similar to the OP.
I have a solution that integrates with the above custom authentication implementation if anyone is interested.
I included a new property IsCustomAuthFlow to class InitiateSrpAuthRequest:
/// <summary>
/// Class containing the necessary properities to initiate SRP authentication flow
/// </summary>
public class InitiateSrpAuthRequest
{
/// <summary>
/// The password for the corresponding CognitoUser.
/// </summary>
public string Password { get; set; }
/// <summary>
/// The password for the device associated with the corresponding CognitoUser
/// </summary>
public string DevicePass { get; set; }
/// <summary>
/// The device password verifier for the device associated with the corresponding CognitoUser
/// </summary>
public string DeviceVerifier { get; set; }
/// <summary>
/// The Device Key Group for the device associated with the corresponding CognitoUser
/// </summary>
public string DeviceGroupKey { get; set; }
/// <summary>
/// Use the custom auth flow with this SRP request
/// </summary>
public bool IsCustomAuthFlow { get; set; }
}
I then modified the method StartWithSrpAuthAsync on class CognitoUser to set the AuthFlow to CUSTOM_AUTH and included an AuthParameter of CHALLENGE_NAME = SRP_A on the initiateRequest, when the new property IsCustomAuthFlow is true.
/// <summary>
/// Initiates the asynchronous SRP authentication flow
/// </summary>
/// <param name="srpRequest">InitiateSrpAuthRequest object containing the necessary parameters to
/// create an InitiateAuthAsync API call for SRP authentication</param>
/// <returns>Returns the AuthFlowResponse object that can be used to respond to the next challenge,
/// if one exists</returns>
public virtual async Task<AuthFlowResponse> StartWithSrpAuthAsync(InitiateSrpAuthRequest srpRequest)
{
if (srpRequest == null || string.IsNullOrEmpty(srpRequest.Password))
{
throw new ArgumentNullException("Password required for authentication.", "srpRequest");
}
Tuple<BigInteger, BigInteger> tupleAa = AuthenticationHelper.CreateAaTuple();
InitiateAuthRequest initiateRequest = CreateSrpAuthRequest(tupleAa);
// change this to custom
if (srpRequest.IsCustomAuthFlow)
{
initiateRequest.AuthFlow = AuthFlowType.CUSTOM_AUTH;
initiateRequest.AuthParameters.Add("CHALLENGE_NAME", "SRP_A");
}
InitiateAuthResponse initiateResponse = await Provider.InitiateAuthAsync(initiateRequest).ConfigureAwait(false);
UpdateUsernameAndSecretHash(initiateResponse.ChallengeParameters);
RespondToAuthChallengeRequest challengeRequest =
CreateSrpPasswordVerifierAuthRequest(initiateResponse, srpRequest.Password, tupleAa);
bool challengeResponsesValid = challengeRequest != null && challengeRequest.ChallengeResponses != null;
bool deviceKeyValid = Device != null && !string.IsNullOrEmpty(Device.DeviceKey);
if (challengeResponsesValid && deviceKeyValid)
{
challengeRequest.ChallengeResponses[CognitoConstants.ChlgParamDeviceKey] = Device.DeviceKey;
}
RespondToAuthChallengeResponse verifierResponse =
await Provider.RespondToAuthChallengeAsync(challengeRequest).ConfigureAwait(false);
var isDeviceAuthRequest = verifierResponse.AuthenticationResult == null && (!string.IsNullOrEmpty(srpRequest.DeviceGroupKey)
|| !string.IsNullOrEmpty(srpRequest.DevicePass));
#region Device-level authentication
if (isDeviceAuthRequest)
{
if (string.IsNullOrEmpty(srpRequest.DeviceGroupKey) || string.IsNullOrEmpty(srpRequest.DevicePass))
{
throw new ArgumentNullException("Device Group Key and Device Pass required for authentication.", "srpRequest");
}
#region Device SRP Auth
var deviceAuthRequest = CreateDeviceSrpAuthRequest(verifierResponse, tupleAa);
var deviceAuthResponse = await Provider.RespondToAuthChallengeAsync(deviceAuthRequest).ConfigureAwait(false);
#endregion
#region Device Password Verifier
var devicePasswordChallengeRequest = CreateDevicePasswordVerifierAuthRequest(deviceAuthResponse, srpRequest.DeviceGroupKey, srpRequest.DevicePass, tupleAa);
verifierResponse = await Provider.RespondToAuthChallengeAsync(devicePasswordChallengeRequest).ConfigureAwait(false);
#endregion
}
#endregion
UpdateSessionIfAuthenticationComplete(verifierResponse.ChallengeName, verifierResponse.AuthenticationResult);
return new AuthFlowResponse(verifierResponse.Session,
verifierResponse.AuthenticationResult,
verifierResponse.ChallengeName,
verifierResponse.ChallengeParameters,
new Dictionary<string, string>(verifierResponse.ResponseMetadata.Metadata));
}
Inside your code you will need to respond to the custom auth with a response like the following:
var challengeResponses = new Dictionary<string, string>();
challengeResponses.Add("ANSWER", authenticationCode);
challengeResponses.Add("USERNAME", userName);
var request = new RespondToCustomChallengeRequest()
{
ChallengeParameters = challengeResponses,
SessionID = sessionID
};
await user.RespondToCustomAuthAsync(request).ConfigureAwait(false);
from aws-sdk-net-extensions-cognito.
Related Issues (20)
- There doesn't appear to be an ability to use UserContextData HOT 2
- CognitoUser.ListDevicesAsync() doesn't support returning pagination token. HOT 4
- `CognitoAuthHelper.GetAssemblyFileVersion` Expensive CPU Wise HOT 5
- Async methods should ALWAYS accept an optional cancellation token HOT 4
- Tag NuGet release commits HOT 2
- Include pdb and xml in NuGet package HOT 2
- Version 2.4.1 throws MissingMethodException when used with SignInManager HOT 4
- Refresh Token error - SecretHash does not match for the client HOT 9
- StartWithSrpAuthAsync Not Sync Safe HOT 9
- Verification codes other than the first one are not working HOT 4
- Unable to re-authenticate (not refresh) using the same device key HOT 7
- Avoid checking _access_ token expiry when trying to refresh access via a refresh token. HOT 7
- Recent change to use DateTime.UtcNow was a breaking change (at least for our application) HOT 11
- Extensions CognitoAuthentication Documentation HOT 4
- A deadlock occurs with Android and C# when trying to create a provider with Amazon.CognitoIdentityProvider.AmazonCognitoIdentityProviderClient HOT 5
- Invalid Refresh Token when using Refresh Token with Device Tracking HOT 7
- NotAuthorizedException: SecretHash does not match for the client: xxxxxxxxxxxxxxxxxxx when trying refresh token flow HOT 4
- Missing Authentication Token when trying to use ListUsersRequest HOT 2
- UserNotConfirmedException - how to resend confirmation code for not completed signup in .NET HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-sdk-net-extensions-cognito.