Menu
I have an mobile app with user pool (username & password). The app works fine with aws-amplify sdk. But, wanted to move the code out to Lambdas. So, I have written the following Lambda using Boto3.
Here is Lambda:
import boto3
def lambda_handler(event, context):
client = boto3.client('cognito-idp')
response = client.initiate_auth(
ClientId='xxxxxxxxxxxxxx',
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': 'xxxxxx',
'PASSWORD': 'xxxxxx'
}
)
return response
Tried admin_initiate_auth too.
import boto3
def lambda_handler(event, context):
client = boto3.client('cognito-idp')
response = client.initiate_auth(
UserPoolId='xxxxxxxxx',
ClientId='xxxxxxxxxxxxxx',
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': 'xxxxxx',
'PASSWORD': 'xxxxxx'
}
)
return response
Here is the error the I get.
An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client: InvalidParameterException Traceback (most recent call last):
File "/var/task/lambda_function.py", line 12, in lambda_handler 'PASSWORD': 'xxxxx' File "/var/runtime/botocore/client.py", line 317, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 615, in _make_api_call raise error_class(parsed_response, operation_name) InvalidParameterException: An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client
Any thoughts?
524
AWS Cognito User Pool will send verification code by email or sms and the user enters the code to get verified with the User Pool. User enters username and password and logs in with Cognito User Pool in which case a token will be provided by Cognito upon successful login.
ADMIN_NO_SRP_AUTH : Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is enabled for calling the app client. ADMIN_USER_PASSWORD_AUTH : Admin-based user password authentication. This replaces the ADMIN_NO_SRP_AUTH authentication flow.
ClientMetadata. A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.
Figured it. I have goto user pool - > app clients - >show details -> Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH).
That fixed it.
116
Figured it. I have goto user pool - > app clients - >show details -> Enable username password auth for admin APIs for authentication (ALLOW_ADMIN_USER_PASSWORD_AUTH).
36
For me I found that my credentials needed a hmac here is the class in case it is useful to someone.
import boto3
import boto3.session
import hmac, base64, hashlib
from botocore.client import ClientMeta
class AwsAuth(object):
'''
classdocs
'''
def gettoken(self):
if self.token:
return self.token
else:
return False
def connect(self):
if not self.username:
self.username = raw_input("Username: ")
if not self.password:
self.password = raw_input("Password: ")
digest = self.gethmacdigest(self.username)
response = self.client.initiate_auth(
ClientId=self.clientid,
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': self.username,
'PASSWORD': self.password,
'SECRET_HASH': digest
},
ClientMetadata={
'UserPoolId': self.userpoolid
}
)
self.token = response
return response
def gethmacdigest(self, username):
message = username + self.clientid
dig = hmac.new(self.clientsecret, msg=message.encode('UTF-8'), digestmod=hashlib.sha256).digest()
return base64.b64encode(dig).decode()
def __init__(self, path, url, fileout, filein, userpoolid, clientid, clientsecret, region, username = None, password = None):
'''
Constructor
'''
#boto3.set_stream_logger('botocore', level="DEBUG")
self.path = path
self.url = url
self.fileout = fileout
self.filein = filein
self.userpoolid = userpoolid
self.clientid = clientid
self.clientsecret = clientsecret
self.region = region
self.token = ""
boto3.setup_default_session(region_name=region)
self.client = boto3.client('cognito-idp')
if username is not None:
self.username = username
else:
self.username = None
if password is not None:
self.password = password
else:
self.password = None
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
