By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito VerifyAuthChallenge InvalidLambdaResponseException

0

I try to implement a custom authentication flow with .NET Core and C#. I used this site as a reference (Link: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-verify-auth-challenge-response.html), but so far I already realized, that the input isn't the same in .NET as in the documentation on the site, because the "challengeAnswer" is not given as a Dictionary<string, string>, but as a String object.

I successfully go through the Define, Create and VerifyAuthChallenge, but the object that I return in the VerifyAuthChallengeLambda can not be handled by Cognito:

Amazon.CognitoIdentityProvider.Model.InvalidLambdaResponseException: Unrecognizable lambda output

I take the input element, add "answerCorrect = true" to the response for testing, don't do any alterations on the input element, and return that object. Sadly I can't figure out what is wrong with the structure that I return, which is the following json-serialized object:

{
    "version": 1,
    "triggerSource": "VerifyAuthChallengeResponse_Authentication",
    "region": "eu-central-1",
    "userPoolId": "eu-central-1_YV3aaaaaa",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-dotnet-coreclr-3.3.12.7",
        "clientId": "2490gqsa3gd3ba8tasdasdasda"
    },
    "request": {
        "challengeAnswer": "{\"DeviceSub\":\"a123\",\"IpAddress\":\"1.1.1.1\",\"MacAddress\":\"FF:FF:FF:FF:FF:FF\",\"DeviceName\":\"Svens Test Device\",\"UserName\":\"8624237e-0be8-425e-a2cb-aaaaaaaaaaaa\"}",
        "privateChallengeParameters": {
            "CUSTOM_CHALLENGE": "SessionService_SendDevice"
        },
        "userAttributes": {
            "sub": "8624237e-0be8-425e-a2cb-aaaaaaaaaaaa",
            "email_verified": "true",
            "cognito:user_status": "CONFIRMED",
            "email": "s.mmmmmmmm@sooooooooo.de"
        }
    },
    "response": {
        "answerCorrect": true
    },
    "userName": "8624237e-0be8-425e-a2cb-aaaaaaaaaaaa"
}

Could you maybe provide the structure of the response object that Cognito expects? I'm a bit in the dark here and don't know what I should change on the returned object in order to conform to the required structure.

Thanks for your help,
All the Best,

Sven

Edited by: SolidWhiteSven on Jan 17, 2019 11:39 AM

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
SolidWhiteSven
asked 5 years ago363 views
1 Answer
0

Well, so my mistake was to not consider the custom authentication flow. I found a different documentation, which is by the way the one you should definitely use:

Customizing Amazon Cognito User Pool Authentication Flow
https://aws.amazon.com/blogs/mobile/customizing-your-user-pool-authentication-flow/

I ran into 2 wrong parts in the documentation here (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html) (the triggers sub-pages) and 1 error on my part.

Wrong part 1: DefineAuthChallenge and CreateAuthChallenge inputs for the session is defined as a list of challenge results. This is all fine, but the challenge result object has the challenge metadata part wrongly displayed of being written like this: "ChallengeMetaData", when instead it should be "ChallengeMetadata", with a lower case "d" for "data" instead of an upper case one. This gave me the "Unrecognized lambda output"-error, because "ChallengeMetaData" wasn't was the backend was expecting, it was looking for "ChallengeMetadata", which wasn't present. The first time you enter the define auth challenge lambda, this error doesn't show up, because the session doesn't contain any challenge answers. The moment you verify a challenge though, this gets filled and then the uppercase d gives you troubles.

Wrong part 2: As described in my question, the VerifyAuthChallenge input for the "challengeAnswer" is a string, not a Dictionary.

All these wrong parts are correctly displayed on the first documentation page I linked here. So I would recommend using that instead of the other documentation.

Error on my side: I didn't really check what happens after you verify a custom challenge via the VerifyAuthChallenge-trigger. In the given link, in the image above the headline 'DefineAuthChallenge: The challenges (state machine) Lambda trigger', it clearly states, that after verifying the response, the DefineAuthChallenge trigger is invoked again, which I didn't consider.

I hope I could save someone the time it took for me to figure this out with this :-)

SolidWhiteSven
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content