使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Cognito confirmDevice - Invalid device key given response

0

I am confirming a user's device after they complete MFA (serverside) to ensure that we are able for them to call refresh ( we need this due to device tracking on the user pool ). However, everything I try results in the same thing - Invalid device key given. We have it working fine on the client side without even trying due to aws-cognito-identity-js - but we also have a legacy login endpoint for older apps that we want to hook into the newer user pool and thus the refresh calls needs a deviceKey. I have been looking at the calls made by aws-cognito-identity-js which succeed in the browser - but fail when I copy as curl and run in the terminal with - yeah you got it Invalid device key given response. My code is below - accessToken & deviceKey come from the result of the response from the SMS_MFA challenge - has anyone got this working out of aws-cognito-identity-js?

            authHelper.generateHashDevice(deviceGroupKey, deviceKey, async (err) => {
                if (err) {
                    return reject(err);
                }

                const deviceSecretVerifierConfig = {
                    Salt: Buffer.from(
                        authHelper.getSaltDevices(),
                        'hex'
                    ).toString('base64'),
                    PasswordVerifier: Buffer.from(
                        authHelper.getVerifierDevices(),
                        'hex'
                    ).toString('base64'),
                };

                const confirmConfig = {
                    AccessToken: accessToken,
                    DeviceKey: deviceKey,
                    DeviceName: `${username}-${poolId}-${deviceKey}`,
                    DeviceSecretVerifierConfig: deviceSecretVerifierConfig,
                }
            
                await cognito.confirmDevice(confirmConfig);
            });
主題
安全性、身分識別與合規
標籤
Amazon Cognito
語言
English
Shane Johnson
已提問 2 年前檢視次數 848 次
1 個回答
0
已接受的答案

Hello,

The error you are receiving 'Invalid device key given' usually happens when USER_SRP_AUTH [1] is not being used. Please ensure you are making use of USER_SRP_AUTH . You may refer the below Article for understanding the complete flow of Device Tracking And Remembering.

[+] https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-remembered-devices/

If you continue to face the issue, I would suggest raising a case with support to perform a dive deep. Please open a support case with AWS using the following link-

[+] https://console.aws.amazon.com/support/home#/case/create

Reference

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges

AWS
支援工程師
Girish A
已回答 2 年前
  • Shane Johnson
    2 年前

    Thanks for your reply - we yesterday discovered that this user flow wasn't using USER_SRP_AUTH and have since modified it. We have also found that the request to authenticate and the request to send the MFA code AND the request to confirm the users device all need to use the same cognito object to make the request, which is why aws-cognito-identity-js works fine in the browser. As our login & MFA verification calls are on different endpoints we have had to come up with a solution that allows these two calls to share the cognito object through a long-lived lambda function that is invoked by both these lambda's themselves.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容