AWS Cognito custom auth flow with USER_PASSWORD_AUTH

4
votes

I'm currently working on a custom authentication flow, using the define, create and verify triggers. However, the users password isn't checked during the flow. We use the USER_PASSWORD_AUTH option on our clients, so no SRP.

I saw this question Can I use the migration trigger in a Custom auth flow and didn't quite make out if it answered my question:

Is it possible to use custom auth flow in combination with username-password (non-SRP) flow? And if so, what is the challenge name that I have to return?

Here is stated that combinations can be used, but it seems to me that the PASSWORD_VERIFIER only works with the SRP auth:

A custom authentication flow can also use a combination of built-in challenges such as SRP password verification and MFA via SMS, and custom challenges such as CAPTCHA or secret questions.

1
amazon-web-servicesamazon-cognito

1 Answers

6
votes

So I managed to add the password challenge to the custom auth flow, by returning it as the first challenge in the DefineAuthChallenge lambda trigger, like this: 

// Add the password verifier to verify the password first.
if (input.Request?.Session == null || !input.Request.Session.Any(s => s.ChallengeName == "PASSWORD_VERIFIER"))
{
    input.Response.ChallengeName = AuthChallengeNames.AWS_PasswordVerifier;
    input.Response.FailAuthentication = false;
    input.Response.IssueTokens = false;

    return input;
}

No challenges are given in the session, as this should be the first challenge to be returned by the custom auth flow, as described here (section 'Custom Authentication Flow'):

If you want to include SRP in a custom authentication flow, you need to start with it.

However, at the moment, if a user is forced to change their password, the custom auth flow is skipped afterwards, which is a bug at the moment, confirmed by AWS. See related post here.

The example here (section 'Define Auth Challenge Example') proved to be blatantly wrong, as there are no challenges in the session the first time the define auth challenge trigger is hit.