[英]AWS Cognito Boto3 Error on Confirm Device: Invalid device key given
I have been creating a AWS Cognito flow with Python, Django and Boto3 with MFA enables.我一直在使用启用 MFA 的 Python、Django 和 Boto3 创建 AWS Cognito 流。
My authentication flow is the following:我的身份验证流程如下:
initiate_auth : called on an django rest endpoint initial_auth : 在 django rest 端点上调用
response = client.initiate_auth(
ClientId=settings.AWS_COGNITO_CLIENT_ID,
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': email,
'SECRET_HASH': get_secret_hash(email),
'PASSWORD': password,
}
)
if "ChallengeName" in response:
data["mfa"] = True
data["session"] = response["Session"]
respond_to_auth_challenge : called on a seperate django rest endpoint response_to_auth_challenge : 在单独的 django rest 端点上调用
response = client.respond_to_auth_challenge(
ClientId=settings.AWS_COGNITO_CLIENT_ID,
ChallengeName='SMS_MFA',
Session=session,
ChallengeResponses={
'USERNAME': email,
'SMS_MFA_CODE': code,
'SECRET_HASH': get_secret_hash(email),
}
)
based on this post I wanted to implement the confirm device so MFA is skipped upon next login.基于这篇文章,我想实现确认设备,以便在下次登录时跳过 MFA。 So after the respond to auth challenge I have this code:因此,在响应身份验证挑战后,我有以下代码:
device_key = response['AuthenticationResult']['NewDeviceMetadata']['DeviceKey']
device_group_key = response['AuthenticationResult']['NewDeviceMetadata']['DeviceGroupKey']
device_password, device_secret_verifier_config = generate_hash_device(device_group_key, device_key)
device = client.confirm_device(
AccessToken=response["AuthenticationResult"]["AccessToken"],
DeviceKey=device_key,
DeviceSecretVerifierConfig=device_secret_verifier_config,
DeviceName=email
)
But I always get the但我总是得到
Unknown error An error occurred (InvalidParameterException) when calling the ConfirmDevice operation: Invalid device key given.未知错误 调用 ConfirmDevice 操作时发生错误 (InvalidParameterException):给定的设备密钥无效。
Can anyone help on why this happens?任何人都可以帮助解释为什么会发生这种情况吗?
So I found a something that worked for me.所以我找到了一个对我有用的东西。
In your challange response, you need to pass the username from the response for the initial_auth
在您的挑战响应中,您需要为initial_auth
传递响应中的用户名
In your code that should be stored at response["Username"]
在您的代码中应该存储在response["Username"]
then when calling the respond_to_auth_challenge
you will use this parameter然后在调用respond_to_auth_challenge
您将使用此参数
response = client.respond_to_auth_challenge(
ClientId=settings.AWS_COGNITO_CLIENT_ID,
ChallengeName='SMS_MFA',
Session=session,
ChallengeResponses={
'USERNAME': username, // response["Username"] <--------
'SMS_MFA_CODE': code,
'SECRET_HASH': get_secret_hash(email),
}
)
I wish it was better documented on AWS or they would have at least a better error message.我希望它在 AWS 上有更好的记录,否则他们至少会有更好的错误消息。
That solved the problem for me.那为我解决了问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.