Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cognito-idp: "SECRET_HASH was not received" with USER_SRP_AUTH #3246

Open
1 task
phyordia opened this issue Jan 14, 2025 · 0 comments
Open
1 task

cognito-idp: "SECRET_HASH was not received" with USER_SRP_AUTH #3246

phyordia opened this issue Jan 14, 2025 · 0 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@phyordia
Copy link

phyordia commented Jan 14, 2025
edited
Loading

Describe the bug

Hello!
I'm trying to authenticate a user using CognitoIdentityProviderClient.

TL;DR: Using USER_SRP_AUTH flow and a correct secret_hash, I get a response saying SECRET_HASH was not sent.

Here's the relevant portion of the code:

Aws::Map<Aws::String, Aws::String> authParameters;
authParameters["USERNAME"] = username.c_str();
// authParameters["PASSWORD"] = password.c_str(); // Used to test with USER_PASSWORD_AUTH below

authParameters["SECRET_HASH"] = "some_secret_hash";
authParameters["SRP_A"] = srp.A();

Aws::CognitoIdentityProvider::CognitoIdentityProviderClient cipClient(clientConfig );

Aws::CognitoIdentityProvider::Model::InitiateAuthRequest authRequest;
authRequest.SetClientId( m_clientID.c_str() );
// authRequest.SetAuthFlow(Aws::CognitoIdentityProvider::Model::AuthFlowType::USER_PASSWORD_AUTH );
authRequest.SetAuthFlow(Aws::CognitoIdentityProvider::Model::AuthFlowType::USER_SRP_AUTH );

authRequest.SetAuthParameters( authParameters );
Aws::Map<Aws::String, Aws::String> __authParameters = authRequest.GetAuthParameters();
// check if the correct value is in the map. It is.

Aws::CognitoIdentityProvider::Model::InitiateAuthOutcome authResult = cipClient.InitiateAuth( authRequest );

Then I get: "NotAuthorizedException: Client is configured with secret but SECRET_HASH was not received"

  • I have tested all the credentials (user, password, pool Id, app ID, secret_hash, SRP_A, same flow type, etc...) with both Python's boto3 and requests and it works fine both ways (i get tokens and challange).

  • Strangely, in the c++ version above:

    • Using USER_PASSWORD_AUTH flow instead (and provide a password in the authParameters), I don't get the error of "SECRET_HASH was not received"
    • Using USER_SRP_AUTH and authParameters["SECRET_HASH"] = "some_INCORRECT_secret_hash", I get an error saying the hash was not correct (but it was, apparently, received)

From what I have read in several StackOverflow that SRP doesn't work with apps with secrets, but those threads seem outdated, and the python test seems to disprove that?

Could you please advise? Is this a limitation of the c++ sdk or is this a bug?

Many thanks in advance!

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

Expect to receive either a success response or an invalid credentials error, but not a "not sent" error.

Current Behavior

See description of the bug

Reproduction Steps

See description of the bug

Possible Solution

No response

Additional Information/Context

No response

AWS CPP SDK version used

1.11.483

Compiler and Version used

clang-1600.0.26.6

Operating System and version

macOS 15.2
@phyordia phyordia added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@phyordia