4

I'm currently working on a custom authentication flow, using the define, create and verify triggers. However, the users password isn't checked during the flow. We use the USER_PASSWORD_AUTH option on our clients, so no SRP.

I saw this question Can I use the migration trigger in a Custom auth flow and didn't quite make out if it answered my question:

Is it possible to use custom auth flow in combination with username-password (non-SRP) flow? And if so, what is the challenge name that I have to return?

Here is stated that combinations can be used, but it seems to me that the PASSWORD_VERIFIER only works with the SRP auth:

A custom authentication flow can also use a combination of built-in challenges such as SRP password verification and MFA via SMS, and custom challenges such as CAPTCHA or secret questions.

Sven Möhring
  • 770
  • 13
  • 22

1 Answers1

6

So I managed to add the password challenge to the custom auth flow, by returning it as the first challenge in the DefineAuthChallenge lambda trigger, like this: 

// Add the password verifier to verify the password first.
if (input.Request?.Session == null || !input.Request.Session.Any(s => s.ChallengeName == "PASSWORD_VERIFIER"))
{
    input.Response.ChallengeName = AuthChallengeNames.AWS_PasswordVerifier;
    input.Response.FailAuthentication = false;
    input.Response.IssueTokens = false;

    return input;
}

No challenges are given in the session, as this should be the first challenge to be returned by the custom auth flow, as described here (section 'Custom Authentication Flow'):

If you want to include SRP in a custom authentication flow, you need to start with it.

However, at the moment, if a user is forced to change their password, the custom auth flow is skipped afterwards, which is a bug at the moment, confirmed by AWS. See related post here.

The example here (section 'Define Auth Challenge Example') proved to be blatantly wrong, as there are no challenges in the session the first time the define auth challenge trigger is hit.

Sven Möhring
  • 770
  • 13
  • 22
  • 1
    to add to this, AWS Amplify uses SRP flow in case of CUSTOM_AUTH, and does not allow to do CUSTOM_AUTH with USERNAME_PASSWORD – JVS May 19 '20 at 11:10
  • Is there a way to setup the user pool so clients can login with username/password OR through a custom challenge? Like allow both, and let the client app choose which one it uses. – Dave Apr 19 '21 at 17:55
  • @Dave probably not, as the password needs to be checked by the user pool as the first challenge. If you implement the password check yourself (not recommended), you could send an initial challenge asking which way to use and then return the password challenge or the custom auth challenges. – Sven Möhring Apr 20 '21 at 10:18
  • Actually I got this working through nodejs client code. Haven't had a chance to try it on Android/iOs yet, but you call initiateAuth and pass CUSTOM_AUTH and if your triggers are setup, It will let you auth without the actual password. I'll find a closer snippet Monday... – Dave Apr 25 '21 at 02:38
  • @Dave Sure, if you only want to do the custom auth challenge without any password check, you can do this. But I didn't find a way to do the password check with Cognito when the first challenge wasn't the password challenge. If you found out a way to have the first challenge be 'Do you want to use password or SMS auth?' and then either send the password or sms challenge depending on the first challenges answer, that would be nice to know :-) – Sven Möhring Apr 27 '21 at 20:18
  • @SvenMöhring, I'm trying this and getting "Missing required parameter srpA". I'm sending USERNAME and PASSWORD to initiateAuth. How did you use PASSWORD_VERIFIER without SRP? – ganta Feb 14 '23 at 21:39