- Más nuevo
- Más votos
- Más comentarios
Alright. Here is a major footgunnery, found after 1 week of headscratching:
After initiating auth with USER_SRP_AUTH
, cognito will respond with PASSWORD_VERIFIER
, the response.ChallengeParameters
will include USERNAME
and USERNAME_FOR_SRP
.
For me, both have the same value. Probably because I just use email. Anyways, I didn't use those values, and simply used USERNAME: <email>
in the next RespondToAuthChallenges
.
This USERNAME
(or USERNAME_FOR_SRP
?) returned by the PASSWORD_VERIFIER/DEVICE_PASSWORD_VERIFIER
must be used as the USERNAME
in the successive RespondToAuthChallenge
.
If it is not used, the tokens will still be issued (!), but, it will not be possible to call the ConfirmDevice
api.
I am a bit surprised that the error messages were not more helpful though, and also surprised that I could still pass the MFA challenge by using email/username(guid) interchangeably.
Question now is
- Why does Cognito allows using
email
as USERNAME inRespondToAuthChallenge{challengeName: SOFTWARE_TOKEN_MFA}
? Shouldn't an error be returned instead ? - Since it doesn't fail, why does Cognito returns
NewDeviceMetadata
when usingemail
as USERNAME, but doesn't allow toConfirmDevice
?
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 9 meses
- OFICIAL DE AWSActualizada hace 3 años