Description
I am attempting to use the aws-sdk-net-extensions-cognito library for Cognito authentication with device tracking enabled. The cloud formation properties on the User Pool for this configuration are:
DeviceConfiguration:
ChallengeRequiredOnNewDevice: false
DeviceOnlyRememberedOnUserPrompt: false
I can successfully complete the following steps:
- User logins in the for the first time using
StartWithSrpAuthAsync(generate a new device key) - Use the
NewDeviceMetadatato create aDeviceVerifierwhich includesPasswordVerifierandSalt - Use this to
ConfirmDeviceAsyncwhich shows the new device for the user in the Cognito AWS Console dashboard - As long as the device key is set on the user I can invoke
StartWithRefreshTokenAuthAsyncto successfully get refresh tokens
My issue at this point is that signing out and attempting to sign back in fails using the device key from the previous session. I know I need to generate a new token but I shouldn't have to regenerate the device key on the same device. Currently, when I tried to login using the device key from the previous session I get the following error:
"Incorrect username or password."
Here is my code for attempting to login using a local device key from the previous session:
user.Device = new CognitoDevice(
new DeviceType { DeviceKey = deviceKey },
user
);
var deviceVerifier = user.GenerateDeviceVerifier(DeviceInfo.DeviceGroupKey, password, DeviceInfo.DeviceKey);
authRequest = new InitiateSrpAuthRequest()
{
Password = password,
DeviceGroupKey = deviceGroupKey,
DevicePass = deviceVerifier.PasswordVerifier,
DeviceVerifier = deviceVerifier.Salt
};
// Fails with 400 error mentioned above
var authResponse = await user.StartWithSrpAuthAsync(authRequest);
I have a feeling it's related to the creation of new InitiateSrpAuthRequest() and the values I am providing. I was unable to find documentation around these parameter values. I was assuming DevicePass is the PasswordVerifier created by GenerateDeviceVerifier and DeviceVerifier is the Salt from GenerateDeviceVerifier but the key names are confusing?
TLDR: What values are expected for DevicePass and DeviceVerifier or am I doing something else incorrectly.
AWS .NET SDK and/or Package version used
Amazon.Extensions.CognitoAuthentication 2.5.2 (latest)
Targeted .NET Platform
.NET Framework 4.8 & .NET 6.0
Operating System and version
Windows 10/11
Expected Behavior
I can re-authenticate a user (not refresh) but use the same device key which will not create a new device for that user as long as they are on the same machine.
Current Behavior
- Initial token/device key creation works
- Token refresh works when device key is provided
- Logging out and logging back in fails due
"Incorrect username or password."- The only difference with the initial auth is the parameters we pass to
InitiateSrpAuthRequest() - The initial login we only provide the
Password - Reoccurring logins where a local device key is found in the cache we provide
Password,DeviceGroupKey,DevicePassandDeviceVerifierwhich fails
- The only difference with the initial auth is the parameters we pass to
References
The issue follows a very similar flow outlined in this other old issue https://github.com/aws/aws-sdk-net-extensions-cognito/issues/44 on GitHub but I am getting a different error at the final step.
Another user on the same thread commented with the SAME ERROR message but his remedy did not seem to help me. He is questioning the signature on GenerateDeviceVerifier(). I have tried username and deviceKey.