aws-sdk-js icon indicating copy to clipboard operation
aws-sdk-js copied to clipboard
verified publisher icon aws

Way to verify username and password of user in aws cognito using adminInitiateAuth() method

Open chintu11 opened this issue 3 years ago • 2 comments

Requirement: Below code is having 2 functions. 1st verify the username and password of user and if it is true it trigger OTP in SMS(Default behavior of AWS as 2 factor authentication is enabled). But we do not want OTP in SMS. We want OTP in Email with custom template, so implemented 2nd function with AuthFlow: 'CUSTOM_AUTH'(and 2nd method works as expected). We do not want OTP to be triggered in SMS(But also can not disable 2 factor auth because it is used in other use cases). Also, only need solution using aws-sdk. There are ways using amplify and other library but it is not useful in case of App client secret is there.

//verify username,password and send code in sms
response0 = await cognitoIdentityServiceProvider.adminInitiateAuth({
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
    ClientId: tenant.cognitoClientId,
    UserPoolId: tenant.cognitoUserPool,
    AuthParameters: {
        SECRET_HASH: crypto.createHmac('SHA256', tenant.cognitoClientSecret).update(username + tenant.cognitoClientId).digest('base64'),
        USERNAME: username,
        PASSWORD: password
    }
}).promise();


// send code to email using custom auth flow 
response1 = await cognitoIdentityServiceProvider.adminInitiateAuth({
    AuthFlow: 'CUSTOM_AUTH',
    ClientId: tenant.cognitoClientId,
    UserPoolId: tenant.cognitoUserPool,
    AuthParameters: {
        SECRET_HASH: crypto.createHmac('SHA256', tenant.cognitoClientSecret).update(username + tenant.cognitoClientId).digest('base64'),
        USERNAME: username,
        PASSWORD: tenantId + secrets.PASSWORD_SECRET
    }
}).promise();

Need solution where we can check username password using AuthFlow: 'CUSTOM_AUTH'(Can change lambda triggers) or any other way where OTP should not be triggered and able to check username and password correctly.

chintu11 avatar Nov 22 '22 06:11 chintu11

Transferred issue to AWS SDK for JS repo for initial triage. Most likely this is a Q&A discussion.

ashishdhingra avatar Mar 27 '24 18:03 ashishdhingra

Hi there - apologies for the long wait.

Your case is unique and very specific which is why I reached out to service team to get more insights from them. I'll post update as soon as I hear back.

P127469405

aBurmeseDev avatar Apr 23 '24 23:04 aBurmeseDev

Hi there - I had previously contacted the service team regarding this issue, but I haven't received a response yet.

As there are no pending action items for the SDK team, and this repository is dedicated solely to SDK-related issues, I will close this case. Please feel free to contact the service team directly through AWS Support for further assistance and updates on this matter.

aBurmeseDev avatar Aug 21 '24 05:08 aBurmeseDev

I just heard back from service team member and here's the response:

Customer should not mix use of CUSTOM_AUTH with other regular auth flow such as ADMIN_NO_SRP_AUTH. They should just start to call the first function with CUSTOM_AUTH. And if it is CUSTOM_AUTH, they can return PASSWORD_VERIFIER challenge to request Cognito do password check. However, if they do not want Cognito's native MFA, they still need to turn off MFA and implement MFA within CUSTOM_AUTH flow. Please refer to this document, https://aws.amazon.com/blogs/security/how-to-configure-duo-multi-factor-authentication-with-amazon-cognito

aBurmeseDev avatar Sep 03 '24 22:09 aBurmeseDev