-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SRP doesn't authenticate reliably with client secret #125
Comments
I'm new to Cognito.
Error:
When I try the same code on a new app client which does not have a secret, the code works fine. |
Hi, 3oris do you have any updates |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current implementation of
process_challenge
doesn't reliably authenticate when logging in via e-mail address using aclient_secret
. It will yield a:"An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Unable to verify secret hash for client"
As you can see in the official AWS java SDK, the right way to respond to an auth challenge request (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2914 ) is to use the internal user name from the challenge paramteters and use it for secret hash calculation (https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2955 ) as well as username in the
srpAuthResponse
(https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java#L2964 )Please find attached the pull request that fixes this issue. #124
The text was updated successfully, but these errors were encountered: