Cognito "confirmDevice" error: "Invalid device credentials given"
I have a Cognito User Pool working with MFA enabled (optional), and I am currently working on setting up Device Tracking so that users can bypass MFA for trusted devices ("Allow users to bypass MFA for trusted devices" set to "Yes").
I am using the AWS SDK for Ruby, and can successfully step through the admin_initiate_auth
and admin_respond_to_auth_challenge
steps. When I run confirm_device
I am getting an exception:
Invalid device credentials given, no credentials given
Searching on Google for the exception message, I've so far been unable to find any examples of error message for Cognito.
The code I'm using:
class Cognito attr_reader :client, :user_pool_id, :app_client_id, :app_client_secret def initialize @client = Aws::CognitoIdentityProvider::Client.new( region: ENV['AWS_REGION'], access_key_id: ENV['AWS_ACCESS_KEY_ID'], secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'] ) @user_pool_id = ENV['AWS_USER_POOL_ID'] @app_client_id = ENV["AWS_APP_CLIENT_ID"] @app_client_secret = ENV["AWS_APP_CLIENT_SECRET_KEY"] end class << self def secret_hash(username) cognito = self.new Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', cognito.app_client_secret, username + cognito.app_client_id)) end def authenticate(username:, password:) cognito = self.new user_object = { USERNAME: username, PASSWORD: password, SECRET_HASH: Cognito.secret_hash(username), } auth_object = { user_pool_id: cognito.user_pool_id, client_id: cognito.app_client_id, auth_flow: "ADMIN_NO_SRP_AUTH", auth_parameters: user_object, } cognito.client.admin_initiate_auth(auth_object) end def admin_respond_to_auth_challenge(session:, mfa_code:, username:) cognito = self.new cognito.client.admin_respond_to_auth_challenge({ user_pool_id: cognito.user_pool_id, client_id: cognito.app_client_id, challenge_name: "SMS_MFA", # required, accepts SMS_MFA, SOFTWARE_TOKEN_MFA, SELECT_MFA_TYPE, MFA_SETUP, PASSWORD_VERIFIER, CUSTOM_CHALLENGE, DEVICE_SRP_AUTH, DEVICE_PASSWORD_VERIFIER, ADMIN_NO_SRP_AUTH, NEW_PASSWORD_REQUIRED challenge_responses: { "SMS_MFA_CODE" => mfa_code, "USERNAME" => username, "SECRET_HASH" => Cognito.secret_hash(username), }, session: session, context_data: { # TODO get these from request. ip_address: "127.0.0.1", # required server_name: "localhost", # required server_path: "https://127.0.0.1/", # required http_headers: [ # required { header_name: "StringType", header_value: "StringType", }, ], }, }) end def confirm_device(device_key:, access_token:, device_name: nil) cognito = self.new cognito.client.confirm_device({ device_key: device_key, access_token: access_token, device_name: device_name, }) end end end
And called with:
r = Cognito.authenticate(username: 'user.email@gmail.com', password: "Password1")
challenge = Cognito.admin_respond_to_auth_challenge(session: r.session, mfa_code: "123456", username: 'user.email@gmail.com')
confirm = Cognito.confirm_device(device_key: challenge.authentication_result.new_device_metadata.device_key, access_token: challenge.authentication_result.access_token, device_name: "John's Machine")
With the full error being:
/Users/myname/.rbenv/versions/3.1.2/lib/ruby/gems/3.1.0/gems/aws-sdk-core-3.126.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': Invalid device credentials given, no credentials given (Aws::CognitoIdentityProvider::Errors::InvalidParameterException)
I'm not sure what credentials I'm missing. Any help would be appreciated! Thank you.
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi JPF,
Are you able to figure out the issue? I ran into the same error.
Thanks
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 2 anni fa
Hello WY220 - No, I haven't. I've posted the same question to StackOverflow as well with no responses there either. https://stackoverflow.com/questions/72481312/cognito-sdk-unable-to-confirm-a-trusted-device