AWS Cognito Authentication USER_PASSWORD_AUTH flow not enabled for this client

Question

I have an mobile app with user pool (username & password). The app works fine with aws-amplify sdk. But, wanted to move the code out to Lambdas. So, I have written the following Lambda using Boto3.

Here is Lambda:

import boto3

def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        ClientId='xxxxxxxxxxxxxx',
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

Tried admin_initiate_auth too.

import boto3
def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        UserPoolId='xxxxxxxxx',
        ClientId='xxxxxxxxxxxxxx',
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

Here is the error the I get.

An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client: InvalidParameterException Traceback (most recent call last):
File "/var/task/lambda_function.py", line 12, in lambda_handler 'PASSWORD': 'xxxxx' File "/var/runtime/botocore/client.py", line 317, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 615, in _make_api_call raise error_class(parsed_response, operation_name) InvalidParameterException: An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client

Any thoughts?

Answer 1

Figured it. I have goto user pool - > app clients - >show details -> Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH).

That fixed it.

Answer 2

Figured it. I have goto user pool - > app clients - >show details -> Enable username password auth for admin APIs for authentication (ALLOW_ADMIN_USER_PASSWORD_AUTH).

Answer 3

For me I found that my credentials needed a hmac here is the class in case it is useful to someone.

import boto3
import boto3.session
import hmac, base64, hashlib
from botocore.client import ClientMeta

class AwsAuth(object):
    '''
    classdocs
    '''

    def gettoken(self):
        if self.token:
            return self.token
        else:
            return False

    def connect(self):

        if not self.username:
            self.username = raw_input("Username: ")

        if not self.password:
            self.password = raw_input("Password: ")

        digest = self.gethmacdigest(self.username)

        response = self.client.initiate_auth(
            ClientId=self.clientid,
            AuthFlow='USER_PASSWORD_AUTH',
            AuthParameters={
                'USERNAME': self.username,
                'PASSWORD': self.password,
                'SECRET_HASH': digest
            },
            ClientMetadata={
                'UserPoolId': self.userpoolid
            }
        )
        self.token = response
        return response

    def gethmacdigest(self, username):

        message = username + self.clientid
        dig = hmac.new(self.clientsecret, msg=message.encode('UTF-8'), digestmod=hashlib.sha256).digest()    
        return base64.b64encode(dig).decode()


    def __init__(self, path, url, fileout, filein, userpoolid, clientid, clientsecret, region, username = None, password = None):
        '''
        Constructor
        '''

        #boto3.set_stream_logger('botocore', level="DEBUG")

        self.path = path
        self.url = url
        self.fileout = fileout
        self.filein = filein
        self.userpoolid = userpoolid
        self.clientid = clientid
        self.clientsecret = clientsecret
        self.region = region
        self.token = ""

        boto3.setup_default_session(region_name=region) 

        self.client = boto3.client('cognito-idp')
        if username is not None:
            self.username = username
        else:
            self.username = None
        if password is not None:
            self.password = password
        else:
            self.password = None

Answer 4

Figured it out after many attempts. Here is my solution

1. Go to Cognito from AWS console
2. Then click on the desired pool for which you are facing the error \
3. Now click on the App Clients option on the left panel. It will show you available clients
4. Click on Show Details for your desired app client. And then in the Auth Flows Configuration section make sure Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH) is checked.

For more details on the API refer to this link InitiateAuth

Answer 5

I figured it out.Inspite of AuthFlow pass ExplicitAuthFlows then it should work. `

import boto3
def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        UserPoolId='xxxxxxxxx',
        ClientId='xxxxxxxxxxxxxx',
        ExplicitAuthFlows='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

`