在AWS Cognito中回答NEW_PASSWORD_REQUIRED挑战后继续进行自定义身份验证流程 [英] Continue with custom auth flow after NEW_PASSWORD_REQUIRED challenge is answered in AWS Cognito

问题描述

新用户由管理员创建。他们需要在首次登录时重置其初始密码。我们将Cognito应用程序客户端配置为仅允许自定义身份验证流程（CUSTOM_AUTH_FLOW_ONLY）。但是，当用户重置密码时，身份验证流程结束，并且他们立即获得了id，访问和刷新令牌，因此不会发出任何自定义挑战。

• 如何引导流程继续进行自定义挑战流程，而不是发行令牌？


• 如果不发送令牌，这也将起作用响应，他们重置了初始密码后，用户必须再次登录。

当前有新用户通过流程：

1. 此刻，对于新用户，我们发送 InitiateAuthRequest 与用户名和SRP_A，将AuthFlow设置为 CUSTOM_AUTH ，就像普通登录一样。


2. 我们的DefineAuthChallengeLambda被点击，发出 PASSWORD_VERIFIER 挑战。


3. 客户端使用srp声明，用户名和时间戳来响应auth挑战。


4. Cognito验证响应并看到用户mu st更改他们的密码。 Cognito将跳过我们的lambda触发器，并由Cognito返回 NEW_PASSWORD_REQUIRED 质询。


5. 客户端使用新密码响应auth质询， Cognito接受密码并颁发令牌，这不是我们想要的。

我们要么希望流程在此处结束而不希望发出任何令牌，或者不结束并继续进行定义auth质询触发器调用。

解决方案

所以我联系了AWS支持并得到以下答案：

正如我提到的，我们一直在与团队合作，看来您已经确定了一个问题使用Custom_Auth以及使用Custom_Auth和Password_Verifier / New_Password_Required挑战的问题。似乎将Custom_auth更改为SRP_A或从SRP_A更改为 Custom_auth，并且此时无法使用需要新密码挑战。我们设法与Cognito服务团队完全复制了这一点，他们已经确认这已被破坏，并且我们不支持使用自定义身份验证来应对这些挑战。他们同意，但是我们应该在基础上给予支持，我们已经将其确定为团队的一项功能请求，因此他们将其放在了优先列表中。不幸的是，我不能给出一个明确的时间表来完全实施此操作。

TL; DR：
自定义目前尚不完全支持带有密码验证的身份验证流程。密码重置挑战打破了流程。

对于我们来说，我们使用一种变通方法：在PreTokenGeneration lambda触发器中，我们检查当前的身份验证流程是否来自密码重置事件。 。如果是这种情况，我们只会引发异常，并且不会发出令牌。异常消息将返回给客户端，因此，通过检查异常的消息内容，可以看到发生了什么确切的错误。如果您看到由于重置密码而未生成令牌，只需告诉用户：密码成功重置，然后将它们再次重定向到登录页面。他们可以从那里正常登录，经历整个自定义身份验证流程。

遗憾的是，当该功能可用时，无法给出任何反馈。显然，此处宣布了许多新功能，因此，我将密切注意这一点。 / p>

A new user is created by an admin. They need to reset their initial password on first login. We have the Cognito app client configured to only allow custom authentication flow (CUSTOM_AUTH_FLOW_ONLY). But when the user resets their password, the auth flow ends and they get the id-, access- and refresh-token immediately, none of the custom challenges are issued.

• How can I steer the flow to continue with my custom challenge flow, instead of issuing the tokens?
• It would also work if the tokens would not be sent in the response, after they reset their initial password, so that the user has to log in again.

A new user currently runs through this flow:

1. At the moment, for a new user, we send InitiateAuthRequest with username and SRP_A, AuthFlow set to CUSTOM_AUTH, as a normal login would do.
2. Our DefineAuthChallengeLambda is hit, issuing the PASSWORD_VERIFIER challenge.
3. The client responds to the auth challenge with the srp claims, username and timestamp.
4. Cognito verifies the response and sees, that the user must change their password. Our lambda triggers are skipped and the NEW_PASSWORD_REQUIRED challenge is returned by Cognito.
5. The client responds to the auth challenge with a new password, Cognito accepts the password and issues the tokens, which is not what we want.

We either want for the flow to end here and not issue any tokens, or to not end here and continue with a define auth challenge trigger call.

解决方案

So I contacted the AWS Support and got the following answer:

As I mentioned, we've been engaging with the team and it looks like you've identified an issue with using Custom_Auth as well as an issue with using Custom_Auth and Password_Verifier/New_Password_Required challenges. It looks like changing Custom_auth to or from SRP_A and using the New password required challenge does not work at this moment. We managed to replicate this fully with the Cognito Service team and they've confirmed this is a bit broken and we don't have support for these challenges with Custom auth. They agreed however we should support them at base and we've identified this as a feature request with the team and they've placed it on the prioritised list. Unfortunately I can't give a definitive time-frame for this to be implemented fully.

TL;DR: Custom auth flow with password verification isn't supported fully at the moment. Password reset-challenges break the flow.

For us, we use a workaround: In the PreTokenGeneration lambda trigger, we check if the current auth flow comes from a password reset event. If this is the case, we just throw an exception and no tokens are issued. The exception message is returned to the client, so by checking the message content of the exception, you can see what exact error has occurred. If you see that the tokens were not generated because of password reset, just tell the user: "Password successfully reset" and redirect them to the login page again. From there they can log in normally, going through the whole custom auth flow.

Sadly, no feedback can be given, when the feature is available. Apparently most new features are announced here, so I'll be keeping an eye out for that.

这篇关于在AWS Cognito中回答NEW_PASSWORD_REQUIRED挑战后继续进行自定义身份验证流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！