Unrecognized Verify Auth Challenge Lambda response C#

0
votes

Hy, I'm implementing a custom auth flow on a Cognito User Pool. I managed to handle the Define- and CreateAuthChallenge-triggers, but not the VerifyAuthChallenge.

I use this documentation as a guide: Verify Auth Challenge Response Lambda Trigger

I take the verify-lambda input and add answerCorrect = true to the response, as described in the documentation. Define- and CreateChallenge-parts work as expected with the given information. Verifying the challenge answers, I get InvalidLambdaResponseException: Unrecognizable lambda output as a response. The verify-lambda exists successfully, returning this object:

{
    "version": 1,
    "triggerSource": "VerifyAuthChallengeResponse_Authentication",
    "region": "eu-central-1",
    "userPoolId": "eu-central-1_XXXXXXXXX",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-dotnet-coreclr-3.3.12.7",
        "clientId": "2490gqsa3gXXXXXXXXXXXXXXXX"
    },
    "request": {
        "challengeAnswer": "{\"DeviceSub\":\"TestSub\"}",
        "privateChallengeParameters": {
            "CUSTOM_CHALLENGE": "SessionService_SendDevice"
        },
        "userAttributes": {
            "sub": "8624237e-0be8-425e-a2cb-XXXXXXXXXXXX",
            "email_verified": "true",
            "cognito:user_status": "CONFIRMED",
            "email": "[email protected]"
        }
    },
    "response": {
        "answerCorrect": true
    },
    "userName": "8624237e-0be8-425e-a2cb-XXXXXXXXXXXX"
}

Before, I ran into the problem, that the "challengeAnswer"-part was described as a Dictionary in the documentation, but it actually is just a string, containing the dictionary as json. Sadly, I cannot find any information anywhere for why the returned object isn't accepted by Cognito.

Apparently someone had the same problem as me, using JavaScript: GitHub link

Can anyone tell me, what the response object should look like, so that it is accepted by Cognito? Thank you.

1
amazon-web-services.net-coreaws-lambdaamazon-cognito

1 Answers

2
votes

Well, so my mistake was to not consider the custom authentication flow. I found a different documentation, which is by the way the one you should definitely use:

Customizing your user pool authentication flow

I ran into 2 wrong parts in the documentation here (the triggers sub-pages) and 1 error on my part.

Wrong part 1: DefineAuthChallenge and CreateAuthChallenge inputs for the session is defined as a list of challenge results. This is all fine, but the challenge result object has the challenge metadata part wrongly displayed of being written like this: "ChallengeMetaData", when instead it should be "ChallengeMetadata", with a lower case "d" for "data" instead of an upper case one. This gave me the "Unrecognized lambda output"-error, because "ChallengeMetaData" wasn't what the backend was expecting, it was looking for "ChallengeMetadata", which wasn't present. The first time you enter the define auth challenge lambda, this error doesn't show up, because the session doesn't contain any challenge answers. The moment you verify a challenge though, this gets filled and then the uppercase d gives you troubles.

Wrong part 2: As described in my question, the VerifyAuthChallenge input for the "challengeAnswer" is a string, not a Dictionary.

All these wrong parts are correctly displayed on the first documentation page I linked here. So I would recommend using that instead of the other documentation.

Error on my side: I didn't really check what happens after you verify a custom challenge via the VerifyAuthChallenge-trigger. In the given link, in the image above the headline 'DefineAuthChallenge: The challenges (state machine) Lambda trigger', it clearly states, that after verifying the response, the DefineAuthChallenge trigger is invoked again, which I didn't consider.

I hope I could save someone the time it took for me to figure this out with this :-)