AWS Cognito的SMS多因素身份验证返回无效代码或身份验证状态 [英] AWS Cognito's SMS Multi Factor Authentication returns invalid code or auth state
问题描述
我试图使用他们的Go SDK 来实现基于 Cognito 的身份验证。我已经能够使用基本的用户名/密码身份验证来工作,但是当我使用 SMS 我被卡住了。
I am trying to implement authentication built on Cognito using their Go SDK. I have been able to get basic username/password authentication to work, but when I add in 2-factor authentication using SMS I am getting stuck.
复制步骤:
- 我创建了具有用户名/密码和电子邮件验证的用户
- 我验证电子邮件地址
- 我设置电话号码并请求验证码
- 我验证电话号码
- 我启用了2要素验证(通过短信)
- 我尝试登录并收到SMS_MFA挑战
- 我在手机上收到代码并致电AdminRespondToAuthChallenge
- I create the user with a username/password and email verification
- I validate the email address
- I set the phone number and request a verification code
- I verify the phone number
- I enable 2-factor authentication (via SMS)
- I try to sign in and receive the SMS_MFA challenge
- I receive the code on my phone and call AdminRespondToAuthChallenge
问题,我收到错误:
CodeMismatchException: Invalid code or auth state for the user.
status code: 400, request id: 1513894e-8efa-11e8-a8f8-97e5e083c03b
SMS验证码肯定是正确的,因此似乎必须与auth状态有关。
The SMS verification code is certainly correct, so it seems that it must be something to do with the auth state.
对Cognito的调用如下所示:
The calls to Cognito look like this:
c.cip.SignUp(&cognitoidentityprovider.SignUpInput{
ClientId: aws.String(c.clientID),
Username: aws.String(username),
Password: aws.String(password),
UserAttributes: []*cognitoidentityprovider.AttributeType{
{
Name: aws.String("email"),
Value: aws.String(email),
},
{
Name: aws.String("name"),
Value: aws.String(fullName),
},
},
})
c.cip.ConfirmSignUp(&cognitoidentityprovider.ConfirmSignUpInput{
ClientId: aws.String(c.clientID),
Username: aws.String(username),
ConfirmationCode: aws.String(code),
})
//Add the phone number
c.cip.AdminUpdateUserAttributes(&cognitoidentityprovider.AdminUpdateUserAttributesInput{
UserPoolId: aws.String(c.userPoolID),
Username: aws.String(username),
UserAttributes: []*cognitoidentityprovider.AttributeType{
{
Name: aws.String("phone_number"),
Value: aws.String(phoneNumber),
},
},
})
//Request a verification code
c.cip.GetUserAttributeVerificationCode(&cognitoidentityprovider.GetUserAttributeVerificationCodeInput{
AccessToken: aws.String(accessToken),
AttributeName: aws.String("phone_number"),
})
//Verify the phone number
c.cip.VerifyUserAttribute(&cognitoidentityprovider.VerifyUserAttributeInput{
AccessToken: aws.String(accessToken),
AttributeName: aws.String("phone_number"),
Code: aws.String(code),
})
//Enable SMS 2-factor auth c.cip.AdminSetUserSettings(&cognitoidentityprovider.AdminSetUserSettingsInput{
UserPoolId: aws.String(c.userPoolID),
Username: aws.String(username),
MFAOptions: []*cognitoidentityprovider.MFAOptionType{
&cognitoidentityprovider.MFAOptionType{
AttributeName: aws.String("phone_number"),
DeliveryMedium: aws.String("SMS"),
},
},
})
c.cip.AdminInitiateAuth(&cognitoidentityprovider.AdminInitiateAuthInput{
ClientId: aws.String(c.clientID),
UserPoolId: aws.String(c.userPoolID),
AuthFlow: aws.String("ADMIN_NO_SRP_AUTH"),
AuthParameters: map[string]*string{
"USERNAME": aws.String(username),
"PASSWORD": aws.String(password),
},
})
c.cip.AdminRespondToAuthChallenge(&cognitoidentityprovider.AdminRespondToAuthChallengeInput{
ClientId: aws.String(c.clientID),
UserPoolId: aws.String(c.userPoolID),
ChallengeName: aws.String("SMS_MFA"),
Session: aws.String(session),
ChallengeResponses: map[string]*string{
"USERNAME": aws.String(username),
"SMS_MFA_CODE": aws.String(code),
},
})
进行GetUser调用将显示用户的当前状态:
Doing a GetUser call shows the current state of the user:
User = {
Enabled: true,
MFAOptions: [{
AttributeName: "phone_number",
DeliveryMedium: "SMS"
}],
PreferredMfaSetting: "SMS_MFA",
UserAttributes: [
{
Name: "sub",
Value: "bd2bb8bc-dfe6-4216-829c-5ae975ce24e5"
},
{
Name: "email_verified",
Value: "true"
},
{
Name: "name",
Value: "Ben Vogan"
},
{
Name: "phone_number_verified",
Value: "true"
},
{
Name: "phone_number",
Value: "<redacted>"
},
{
Name: "email",
Value: "<redacted>"
}
],
UserCreateDate: 2018-07-24 03:29:49 +0000 UTC,
UserLastModifiedDate: 2018-07-24 04:19:51 +0000 UTC,
UserMFASettingList: ["SMS_MFA"],
UserStatus: "CONFIRMED",
Username: "bd2bb8bc-dfe6-4216-829c-5ae975ce24e5"
}
我不知道是否存在查询用户身份验证状态的方式,以便我可以进行验证。
I do not know if there is a way to query the user's auth state so that I can verify that.
AWS文档和无用的错误使我发疯,所以我们将不胜感激!
The AWS documentation and unhelpful errors are driving me insane so any help would be greatly appreciated!
谢谢。
推荐答案
您的问题似乎模棱两可。
Your questions seems ambiguous.
步骤2您是
- 我设置了电话号码并要求输入验证码
- 我验证了电话号码
这只是Cognito中的MFA。如果您已正确配置池。
this is nothing but MFA in Cognito. if you have configured the pool correctly.
您不能同时拥有用于登录的手机和MFA。那没有道理。
You cannot have both phone for login and MFA. that doesn't make sense.
,但是如果您有用于登录的电话,则Cognito将每次发送带有代码的SMS。密码仅用于电子邮件登录。
but if you have phone for login, then Cognito will send SMS every time with code. password is only for email logins.
这篇关于AWS Cognito的SMS多因素身份验证返回无效代码或身份验证状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
