warrant icon indicating copy to clipboard operation
warrant copied to clipboard
verified publisher icon capless

process_challenge() raises NotAuthorizedException when signing in with alias from clients with secret

Open dmder opened this issue 8 years ago • 2 comments

https://github.com/capless/warrant/blob/60b9cc0f7ccd4a9a37dc93b1bf6bdc3705981149/warrant/aws_srp.py#L199 This results in an error botocore.errorfactory.NotAuthorizedException: ... Unable to verify secret hash for client <client_id> if a user is trying to authenticate using not the ultimate username, but an alias (such as email, phone_number or preferred_username). Is seems that AWS Cognito always compares SECRET_HASH against the one calculated based on ultimate username, regardless of whether an alias was used to initiate the login or not. Modifying it to self.get_secret_hash(user_id_for_srp, self.client_id, self.client_secret) seems to resolve the issue.

dmder avatar Nov 28 '17 14:11 dmder

@armicron is this what was fixed in #75 ?

bjinwright avatar Dec 11 '17 17:12 bjinwright

@bjinwright no

armicron avatar Dec 11 '17 20:12 armicron