stackoom
  简体   繁体   中英

AWS Cognito Boto3 Error on Confirm Device: Invalid device key given

 原文  2019-11-27 02:15:46       django/ python-3.x/ boto3/ amazon-cognito

Question

I have been creating a AWS Cognito flow with Python, Django and Boto3 with MFA enables.

My authentication flow is the following:

initiate_auth : called on an django rest endpoint 

response = client.initiate_auth(
            ClientId=settings.AWS_COGNITO_CLIENT_ID,
            AuthFlow='USER_PASSWORD_AUTH',
            AuthParameters={
                'USERNAME': email,
                'SECRET_HASH': get_secret_hash(email),
                'PASSWORD': password,
            }
        )

if "ChallengeName" in response:
            data["mfa"] = True
            data["session"] = response["Session"]

respond_to_auth_challenge : called on a seperate django rest endpoint 

response = client.respond_to_auth_challenge(
            ClientId=settings.AWS_COGNITO_CLIENT_ID,
            ChallengeName='SMS_MFA',
            Session=session,
            ChallengeResponses={
                'USERNAME': email,
                'SMS_MFA_CODE': code,
                'SECRET_HASH': get_secret_hash(email),
            }
        )

based on this post I wanted to implement the confirm device so MFA is skipped upon next login. So after the respond to auth challenge I have this code:

device_key = response['AuthenticationResult']['NewDeviceMetadata']['DeviceKey']
        device_group_key = response['AuthenticationResult']['NewDeviceMetadata']['DeviceGroupKey']

        device_password, device_secret_verifier_config = generate_hash_device(device_group_key, device_key)

        device = client.confirm_device(
            AccessToken=response["AuthenticationResult"]["AccessToken"],
            DeviceKey=device_key,
            DeviceSecretVerifierConfig=device_secret_verifier_config,
            DeviceName=email
        )

But I always get the

Unknown error An error occurred (InvalidParameterException) when calling the ConfirmDevice operation: Invalid device key given.

Can anyone help on why this happens?

1 answers

solution1
 0  2020-11-23 16:48:59

So I found a something that worked for me.

In your challange response, you need to pass the username from the response for the initial_auth

In your code that should be stored at response["Username"]

then when calling the respond_to_auth_challenge you will use this parameter


response = client.respond_to_auth_challenge(
            ClientId=settings.AWS_COGNITO_CLIENT_ID,
            ChallengeName='SMS_MFA',
            Session=session,
            ChallengeResponses={
                'USERNAME': username, // response["Username"] <--------
                'SMS_MFA_CODE': code,
                'SECRET_HASH': get_secret_hash(email),
            }
        )

I wish it was better documented on AWS or they would have at least a better error message.

That solved the problem for me.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why boto3 dose not recognize my AWS_ACCESS_KEY_ID in Django on EC2? How to get the aws s3 object key using django-storages and boto3 Heroku: S3 / boto3 - error: Please use AWS4-HMAC-SHA256 boto3 Client Error: Server Side Encryption with Customer provided key is incompatible with the encryption method specified AWS Boto3 Compatibility Issue, How can I install an older version of Boto3? boto3 mturk send_bonus error Do I need to have AWS CLI to use Boto3? Rename key using boto3 within the same s3 bucket S3 image upload error with boto3 and dropzone.js Boto3 Authorization on IIS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM