I have been creating a AWS Cognito flow with Python, Django and Boto3 with MFA enables.
My authentication flow is the following:
initiate_auth : called on an django rest endpoint
response = client.initiate_auth(
ClientId=settings.AWS_COGNITO_CLIENT_ID,
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': email,
'SECRET_HASH': get_secret_hash(email),
'PASSWORD': password,
}
)
if "ChallengeName" in response:
data["mfa"] = True
data["session"] = response["Session"]
respond_to_auth_challenge : called on a seperate django rest endpoint
response = client.respond_to_auth_challenge(
ClientId=settings.AWS_COGNITO_CLIENT_ID,
ChallengeName='SMS_MFA',
Session=session,
ChallengeResponses={
'USERNAME': email,
'SMS_MFA_CODE': code,
'SECRET_HASH': get_secret_hash(email),
}
)
based on this post I wanted to implement the confirm device so MFA is skipped upon next login. So after the respond to auth challenge I have this code:
device_key = response['AuthenticationResult']['NewDeviceMetadata']['DeviceKey']
device_group_key = response['AuthenticationResult']['NewDeviceMetadata']['DeviceGroupKey']
device_password, device_secret_verifier_config = generate_hash_device(device_group_key, device_key)
device = client.confirm_device(
AccessToken=response["AuthenticationResult"]["AccessToken"],
DeviceKey=device_key,
DeviceSecretVerifierConfig=device_secret_verifier_config,
DeviceName=email
)
But I always get the
Unknown error An error occurred (InvalidParameterException) when calling the ConfirmDevice operation: Invalid device key given.
Can anyone help on why this happens?
So I found a something that worked for me.
In your challange response, you need to pass the username from the response for the initial_auth
In your code that should be stored at response["Username"]
then when calling the respond_to_auth_challenge
you will use this parameter
response = client.respond_to_auth_challenge(
ClientId=settings.AWS_COGNITO_CLIENT_ID,
ChallengeName='SMS_MFA',
Session=session,
ChallengeResponses={
'USERNAME': username, // response["Username"] <--------
'SMS_MFA_CODE': code,
'SECRET_HASH': get_secret_hash(email),
}
)
I wish it was better documented on AWS or they would have at least a better error message.
That solved the problem for me.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.