By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito confirmDevice - Invalid device key given response

0

I am confirming a user's device after they complete MFA (serverside) to ensure that we are able for them to call refresh ( we need this due to device tracking on the user pool ). However, everything I try results in the same thing - Invalid device key given. We have it working fine on the client side without even trying due to aws-cognito-identity-js - but we also have a legacy login endpoint for older apps that we want to hook into the newer user pool and thus the refresh calls needs a deviceKey. I have been looking at the calls made by aws-cognito-identity-js which succeed in the browser - but fail when I copy as curl and run in the terminal with - yeah you got it Invalid device key given response. My code is below - accessToken & deviceKey come from the result of the response from the SMS_MFA challenge - has anyone got this working out of aws-cognito-identity-js?

            authHelper.generateHashDevice(deviceGroupKey, deviceKey, async (err) => {
                if (err) {
                    return reject(err);
                }

                const deviceSecretVerifierConfig = {
                    Salt: Buffer.from(
                        authHelper.getSaltDevices(),
                        'hex'
                    ).toString('base64'),
                    PasswordVerifier: Buffer.from(
                        authHelper.getVerifierDevices(),
                        'hex'
                    ).toString('base64'),
                };

                const confirmConfig = {
                    AccessToken: accessToken,
                    DeviceKey: deviceKey,
                    DeviceName: `${username}-${poolId}-${deviceKey}`,
                    DeviceSecretVerifierConfig: deviceSecretVerifierConfig,
                }
            
                await cognito.confirmDevice(confirmConfig);
            });
Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
Shane Johnson
asked 2 years ago831 views
1 Answer
0
Accepted Answer

Hello,

The error you are receiving 'Invalid device key given' usually happens when USER_SRP_AUTH [1] is not being used. Please ensure you are making use of USER_SRP_AUTH . You may refer the below Article for understanding the complete flow of Device Tracking And Remembering.

[+] https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-remembered-devices/

If you continue to face the issue, I would suggest raising a case with support to perform a dive deep. Please open a support case with AWS using the following link-

[+] https://console.aws.amazon.com/support/home#/case/create

Reference

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges

AWS
SUPPORT ENGINEER
Girish A
answered 2 years ago
  • Shane Johnson
    2 years ago

    Thanks for your reply - we yesterday discovered that this user flow wasn't using USER_SRP_AUTH and have since modified it. We have also found that the request to authenticate and the request to send the MFA code AND the request to confirm the users device all need to use the same cognito object to make the request, which is why aws-cognito-identity-js works fine in the browser. As our login & MFA verification calls are on different endpoints we have had to come up with a solution that allows these two calls to share the cognito object through a long-lived lambda function that is invoked by both these lambda's themselves.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content