You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current implementation of process_challenge doesn't reliably authenticate when logging in via e-mail address using a client_secret. It will yield a:
"An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client"
File "warrant/venv/lib/python3.6/site-packages/warrant/aws_srp.py", line 213, in authenticate_user
ChallengeResponses=challenge_response)
File "warrant/venv/lib/python3.6/site-packages/botocore/client.py", line 320, in _api_call
return self._make_api_call(operation_name, kwargs)
File "warrant/venv/lib/python3.6/site-packages/botocore/client.py", line 623, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client xxxxxxxx
When I try the same code on a new app client which does not have a secret, the code works fine.
The current implementation of
process_challenge
doesn't reliably authenticate when logging in via e-mail address using aclient_secret
. It will yield a:"An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client"
As you can see in the official AWS java SDK, the right way to respond to an auth challenge request (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2914 ) is to use the internal user name from the challenge paramteters and use it for secret hash calculation (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2955 ) as well as username in the
srpAuthResponse
(https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2964 )Please find attached the pull request that fixes this issue. #124
The text was updated successfully, but these errors were encountered: