Reputation: 309
AWS Cognito custom flow authentication returns 'Incorrect username or password'
I am trying to setup a custom flow authentication with Cognito to enable Email MFA but when i attempt to login i get the error:
An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Incorrect username or password.
this is the api call i am using - i have doubled checked and tried using USER_PASSWORD_AUTH as the flow to make sure the users details are right and yes i can login when using this flow so they are correct.
aws cognito-idp initiate-auth --auth-flow CUSTOM_AUTH --auth-parameters USERNAME=testuser,PASSWORD=password1 --client-id clientId
Below is my define auth challenge
if (event.request.session.length == 1 && event.request.session[0].challengeName == 'SRP_A') {
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = 'PASSWORD_VERIFIER';
} else if (event.request.session.length == 2 && event.request.session[1].challengeName == 'PASSWORD_VERIFIER' && event.request.session[1].challengeResult == true) {
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = 'CUSTOM_CHALLENGE';
} else if (event.request.session.length == 3 && event.request.session[2].challengeName == 'CUSTOM_CHALLENGE' && event.request.session[2].challengeResult == true) {
event.response.issueTokens = true;
event.response.failAuthentication = false;
} else {
event.response.issueTokens = false;
event.response.failAuthentication = true;
}
context.done(null, event);
}
Is there something wrong with this? This code is copied from the aws cognito custom flow guide for define auth so i am struggling to know what is wrong.
Upvotes: 5
Views: 2918
Answers (1)
Reputation: 117
I think I know what's wrong, and it's not the define-auth-challenge trigger.
In create-auth-challenge, if you specify a event.response.clientMetadata, you MUST specify the private or public challengeParameters, or both, otherwise it will not work.
i.e.
create-auth-challenge.js
event.response.challengeMetadata = "TOKEN_CHECK";
// 400 Incorrect username or password.
create-auth-challenge.js
event.response.challengeMetadata = "TOKEN_CHECK";
event.response.privateChallengeParameters = {
test: "test"
};
event.response.publicChallengeParameters = {
test: "test"
};
// 200 Ok
It's nasty because the error message is misleading.
Upvotes: 3
Related Questions
- AWS API Gateway / Cognito Userpools / Lambdas not able to pass caller credentials
- AWS Cognito User Pool Custom Authentication Lambdas Not Triggering
- AWS API Gateway 401 Unauthorized when lambda fails
- Cognito authorizing a user through AWS lambda function
- Manual Authentication with Amazon Cognito
- AWS Cognito NotAuthorizedException "Invalid Access Token" error after authenticated login
- AWS Cognito custom auth flow with USER_PASSWORD_AUTH
- Missing Cognito user information when invoking a Lambda from API Gateway
- Use custom authorization logic with AWS Cognito authentication
- Cognito Identity Not Passed Into AWS Lambda function