Reputation: 860
Continue with custom auth flow after NEW_PASSWORD_REQUIRED challenge is answered in AWS Cognito
A new user is created by an admin. They need to reset their initial password on first login. We have the Cognito app client configured to only allow custom authentication flow (CUSTOM_AUTH_FLOW_ONLY). But when the user resets their password, the auth flow ends and they get the id-, access- and refresh-token immediately, none of the custom challenges are issued.
- How can I steer the flow to continue with my custom challenge flow, instead of issuing the tokens?
- It would also work if the tokens would not be sent in the response, after they reset their initial password, so that the user has to log in again.
A new user currently runs through this flow:
- At the moment, for a new user, we send
InitiateAuthRequestwith username and SRP_A, AuthFlow set toCUSTOM_AUTH, as a normal login would do. - Our DefineAuthChallengeLambda is hit, issuing the
PASSWORD_VERIFIERchallenge. - The client responds to the auth challenge with the srp claims, username and timestamp.
- Cognito verifies the response and sees, that the user must change their password. Our lambda triggers are skipped and the
NEW_PASSWORD_REQUIREDchallenge is returned by Cognito. - The client responds to the auth challenge with a new password, Cognito accepts the password and issues the tokens, which is not what we want.
We either want for the flow to end here and not issue any tokens, or to not end here and continue with a define auth challenge trigger call.
Upvotes: 6
Views: 3347
Answers (1)
Reputation: 860
So I contacted the AWS Support and got the following answer:
As I mentioned, we've been engaging with the team and it looks like you've identified an issue with using Custom_Auth as well as an issue with using Custom_Auth and Password_Verifier/New_Password_Required challenges. It looks like changing Custom_auth to or from SRP_A and using the New password required challenge does not work at this moment. We managed to replicate this fully with the Cognito Service team and they've confirmed this is a bit broken and we don't have support for these challenges with Custom auth. They agreed however we should support them at base and we've identified this as a feature request with the team and they've placed it on the prioritised list. Unfortunately I can't give a definitive time-frame for this to be implemented fully.
TL;DR: Custom auth flow with password verification isn't supported fully at the moment. Password reset-challenges break the flow.
For us, we use a workaround: In the PreTokenGeneration lambda trigger, we check if the current auth flow comes from a password reset event. If this is the case, we just throw an exception and no tokens are issued. The exception message is returned to the client, so by checking the message content of the exception, you can see what exact error has occurred. If you see that the tokens were not generated because of password reset, just tell the user: "Password successfully reset" and redirect them to the login page again. From there they can log in normally, going through the whole custom auth flow.
Sadly, no feedback can be given, when the feature is available. Apparently most new features are announced here, so I'll be keeping an eye out for that.
Upvotes: 7
Related Questions
- AWS Cognito custom auth - sending metadata to a challenge lambda functions
- cognito forget password flow?
- How to persist CognitoUser during signIn with CUSTOM_AUTH authentication flow
- AWS Cognito custom flow authentication returns 'Incorrect username or password'
- AWS Cognito Respond to New_Password_Required challenge returns "Cannot modify an already provided email"
- cognito custom auth (CUSTOM_CHALLENGE) ignore retry because session expiration
- AWS Cognito use custom auth flow with external identity provider
- AWS Cognito custom auth flow with USER_PASSWORD_AUTH
- How to process with AWS-cognito NEW_PASSWORD_REQUIRED Challenge
- Angular 6 AWS Cognito How to Handle newPasswordRequired