Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom auth flow doesn't work when MFA is enabled for cognito #11540

Closed
3 tasks done
Sax-Yusuph opened this issue Jun 22, 2023 · 5 comments
Closed
3 tasks done

Custom auth flow doesn't work when MFA is enabled for cognito #11540

Sax-Yusuph opened this issue Jun 22, 2023 · 5 comments
Assignees
@nadetastic
Labels
Auth Related to Auth components/category

Comments

@Sax-Yusuph
Copy link

Sax-Yusuph commented Jun 22, 2023
edited
Loading

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

# Put output below this line
System:
    OS: macOS 13.0.1
    CPU: (10) arm64 Apple M1 Pro
    Memory: 142.95 MB / 16.00 GB
    Shell: 3.6.0 - /opt/homebrew/bin/fish
  Binaries:
    Node: 18.16.0 - ~/.nvm/versions/node/v18.16.0/bin/node
    Yarn: 1.22.19 - ~/.nvm/versions/node/v18.16.0/bin/yarn
    npm: 9.6.7 - ~/.nvm/versions/node/v18.16.0/bin/npm
    Watchman: 2023.05.22.00 - /opt/homebrew/bin/watchman
  Browsers:
    Chrome: 114.0.5735.133
    Safari: 16.1
  npmPackages:
    @ampproject/toolbox-optimizer:  undefined ()
    aws-amplify: ^4.3.36 => 4.3.36 
  npmGlobalPackages:

Describe the bug

Custom auth flow doesn't work when SMS MFA is also enabled. we want to be able to use both sms mfa and email MFA using custom auth flow, but the define auth challenge lambdas is not being triggered for custom auth.

this issue was previously opened in #3876
but was closed without any solution.

Expected behavior

define auth challenge should invoke the next challenge in the authentication flow

Reproduction steps

Same has the ticket #3876

  1. Create a new user pool with SMS MFA authentication.
  2. Define a "Define auth challenge" trigger like the one in this documentation
  3. Define the "Create auth challenge" and "Verify auth challenge response" triggers to lambdas similar to the ones in the documentation.
  4. Create a user and configure TOTP software MFA for the user.
  5. Call initiateAuth with AuthFlow=CUSTOM_AUTH and SRP_A auth parameters.
  6. Cognito triggers the "Define auth challenge" lambda and returns PASSWORD_VERIFIER challenge.
  7. Call respondToAuthChallenge with the SRP password verifier challenge response.
  8. Cognito verifies the challenge and responds with a SOFTWARE_TOKEN_MFA challenge instead of a CUSTOM_CHALLENGE challenge. The trigger lambda is not invoked.
  9. Calling respondToAuthChallenge with the MFA token results in a successful authentication and Cognito responding with tokens.

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response
@Sax-Yusuph Sax-Yusuph added the pending-triage Issue is pending triage label Jun 22, 2023
@ArturV93
Copy link

Did you pull the backend for authentication after enabling Multi-Factor Authentication (MFA)?
Check in amplify/backend/auth/PROJECT_NAME/parameter.json that the following are enabled:

"mfaConfiguration": "ON",
"mfaTypes": [
"SMS"
]

@nadetastic nadetastic added the Auth Related to Auth components/category label Jun 22, 2023
@nadetastic nadetastic self-assigned this Jun 22, 2023
@nadetastic nadetastic added investigating This issue is being investigated and removed pending-triage Issue is pending triage labels Jun 22, 2023
@nadetastic
Copy link
Member

Hi @Sax-Yusuph thank you for opening this issue. I am currently investigating this and Im not able to reproduce the scenario where my DefineAuth challenge lambda is NOT invoked. Can you confirm the above comment?

Also are you using the Amplify Auth package with your Application?

@nadetastic
Copy link
Member

@Sax-Yusuph an additional note - we are currently aware a bug attempting to use MFA with Custom Auth Flow as discussed on this issue.

However what you described is a bit different, where you are able to successfully sign in without the Define Auth Lambda being invoked. I haven't been able to reproduce that, so if you have any additional info or context that can help in reproducing this error please let me know.

@Sax-Yusuph
Copy link
Author

Sax-Yusuph commented Jun 23, 2023
edited
Loading

Oh @nadetastic , I mean in my case, SMS mfa works without any issues... but we couldn't get the email MFA to work using custom auth. (Probably due to the bug you mentioned)

For now.. we just had to keep using SMS MFA. Is there a timeline as to when this will be fixed?

@nadetastic
Copy link
Member

nadetastic commented Jun 24, 2023
edited
Loading

@Sax-Yusuph got it, thanks for the confirmation. Yes the issue is blocked, and although we are currently working on it, I'm unable to provide an ETA at this time. However, please subscribe to the issue on #9592 with any additional questions or comments, as updates will be posted and provided there.

For now I will close out this issue to consolidate with #9592

Thanks!

@nadetastic nadetastic closed this as not planned Won't fix, can't repro, duplicate, stale Jun 24, 2023
@cwomack cwomack removed the investigating This issue is being investigated label Aug 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadetastic nadetastic

Labels
Auth Related to Auth components/category
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ArturV93 @Sax-Yusuph @cwomack @nadetastic