AWS Cognito - Target auth state: UNCHALLENGED with AuthFlow USER_SRP_AUTH in Java

Question

I am new to AWS Cognito, I am trying to authenticate user newly created with cognito user pool.

Could anyone please help on this. Any good Java example to follow to athenticate to AWS Cognito.

Here is the stack trace error:

12:07:14.243 [main] DEBUG com.amazonaws.AmazonWebServiceClient - Internal logging successfully configured to commons logger: true
12:07:14.784 [main] DEBUG com.amazonaws.metrics.AwsSdkMetrics - Admin mbean registered under com.amazonaws.management:type=AwsSdkMetrics
AWSCognitoIdentityProviderService.InitiateAuth, Content-Type: application/x-amz-org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://cognito-idp.us-east-1.amazonaws.com:443][total kept alive: 0; route allocated: 1 of 50; total allocated: 1 of 50]
12:07:14.862 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - 
12:07:15.089 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: UNCHALLENGED
12:07:15.090 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> POST / HTTP/1.1
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: cognito-idp.us-east-1.amazonaws.com
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: aws-sdk-java/1.11.251 Windows_10/10.0 Java_HotSpot(TM)_64-Bit_Server_VM/25.144-b01 java/1.8.0_144
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> amz-sdk-invocation-id: e1ebdf5a-f2ec-14b4-c750-3b28d243afb0
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> amz-sdk-retry: 0/0/500
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Content-Type: application/x-amz-json-1.1
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Content-Length: 889
12:07:15.093 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive
12:07:15.094 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "POST / HTTP/1.1[\r][\n]"
12:07:15.094 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: cognito-idp.us-east-1.amazonaws.com[\r][\n]"
12:07:15.094 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: aws-sdk-java/1.11.251 Windows_10/10.0 Java_HotSpot(TM)_64-Bit_Server_VM/25.144-b01 java/1.8.0_144[\r][\n]"
12:07:15.094 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "amz-sdk-invocation-id: e1ebdf5a-f2ec-14b4-c750-3b28d243afb0[\r][\n]"
12:07:15.095 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "amz-sdk-retry: 0/0/500[\r][\n]"
12:07:15.095 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth[\r][\n]"
12:07:15.095 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Content-Type: application/x-amz-json-1.1[\r][\n]"
12:07:15.095 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Content-Length: 889[\r][\n]"
12:07:15.095 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
12:07:15.095 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]"
12:07:15.095 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "{"AuthFlow":"USER_SRP_AUTH","AuthParameters":{"USERNAME":"*************","SRP_A":"9c1d544dc8f22d454d58292148e2d3a121e8a6a77722563d9c838dbc902c1bc48794d2b5a5c9f6509d2c253ce05ca691d8d6f3bd0381817de1232db7c5c1fedc21533aaff98f482510b823d2619e6ab6ad8d0df8661e2927d43de2b654e59bc516deff361caa8dfc07279e6d614dceff32b8bfd94e940393f392e15056a19e05705c10328ec6b683146f9865afa28770560b52848042d56cf78d47fce958d6bedee1aa6950fb28eb0852a374e2c360aa35d9a9be5dd65925e91e26ade9732c1126ccb98fd35c7279717bb7e85914fe446d3d8bc42acb0c8facff124820256cbaed6d9c16efe8823ab0b29457fb9654b2f6d39cfbe7245579231f486ae69eb920afc050ec708ba89f5ab0d11bda5ae55fbec911067049a5ac9407902d80aebce2c949c5e0dc87350987adcfbe9d2467062fb7a02c5323bc74b77c24c28f0369532126cc579a67e271bd06478070de8c6487a26d97da23f8fac1dd68de3c5030f912e389357d5bb433606eae60f9ac434f5cd245a87c728dd8fddc6cffb6346d46"},"ClientId":"4ka2h2ub50ugc9b7enbgmda235"}"
12:07:15.118 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
12:07:15.118 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Fri, 06 Apr 2018 16:08:37 GMT[\r][\n]"
12:07:15.118 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Type: application/x-amz-json-1.1[\r][\n]"
12:07:15.118 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Length: 114[\r][\n]"
12:07:15.118 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Connection: keep-alive[\r][\n]"
12:07:15.119 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "x-amzn-RequestId: c3f044ee-39b4-11e8-b51d-871273fda2e6[\r][\n]"
12:07:15.119 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "x-amzn-ErrorType: NotAuthorizedException:[\r][\n]"
12:07:15.119 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "x-amzn-ErrorMessage: Unable to verify secret hash for client 4ka2h2ub50ugc9b7enbgmda235[\r][\n]"
12:07:15.119 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[\r][\n]"
12:07:15.119 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "{"__type":"NotAuthorizedException","message":"Unable to verify secret hash for client 4ka2h2ub50ugc9b7enbgmda235"}"
12:07:15.125 [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 400 Bad Request
12:07:15.125 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Fri, 06 Apr 2018 16:08:37 GMT
12:07:15.125 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type: application/x-amz-json-1.1
12:07:15.125 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Length: 114
12:07:15.125 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Connection: keep-alive
12:07:15.125 [main] DEBUG org.apache.http.headers - http-outgoing-0 << x-amzn-RequestId: c3f044ee-39b4-11e8-b51d-871273fda2e6
12:07:15.126 [main] DEBUG org.apache.http.headers - http-outgoing-0 << x-amzn-ErrorType: NotAuthorizedException:
12:07:15.126 [main] DEBUG org.apache.http.headers - http-outgoing-0 << x-amzn-ErrorMessage: Unable to verify secret hash for client 4ka2h2ub50ugc9b7enbgmda235
12:07:15.135 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 60000 MILLISECONDS
12:07:15.142 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 0][route: {s}->https://cognito-idp.us-east-1.amazonaws.com:443] can be kept alive for 60.0 seconds
12:07:15.142 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: set socket timeout to 0
12:07:15.142 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://cognito-idp.us-east-1.amazonaws.com:443][total kept alive: 1; route allocated: 1 of 50; total allocated: 1 of 50]
12:07:15.185 [main] DEBUG com.amazonaws.request - Received error response: com.amazonaws.services.cognitoidp.model.NotAuthorizedException: Unable to verify secret hash for client 4ka2h2ub50ugc9b7enbgmda235 (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: NotAuthorizedException; Request ID: c3f044ee-39b4-11e8-b51d-871273fda2e6)
Exceptioncom.amazonaws.services.cognitoidp.model.NotAuthorizedException: Unable to verify secret hash for client 4ka2h2ub50ugc9b7enbgmda235 (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: NotAuthorizedException; Request ID: c3f044ee-39b4-11e8-b51d-871273fda2e6)

Here is my code:

String PerformSRPAuthentication(String username, String password) {
    String authresult = null;

    InitiateAuthRequest initiateAuthRequest = initiateUserSrpAuthRequest(username);
    try {
        AnonymousAWSCredentials awsCreds = new AnonymousAWSCredentials();
        AWSCognitoIdentityProvider cognitoIdentityProvider = AWSCognitoIdentityProviderClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCreds)).withRegion(Regions.fromName(this.region)).build();
        InitiateAuthResult initiateAuthResult = cognitoIdentityProvider.initiateAuth(initiateAuthRequest);
        if (ChallengeNameType.PASSWORD_VERIFIER.toString().equals(initiateAuthResult.getChallengeName())) {
            RespondToAuthChallengeRequest challengeRequest = userSrpAuthRequest(initiateAuthResult, password);
            RespondToAuthChallengeResult result = cognitoIdentityProvider.respondToAuthChallenge(challengeRequest);
            System.out.println("----------------------->>RespondToAuthChallengeResult: " + result);
            System.out.println(CognitoJWTParser.getPayload(result.getAuthenticationResult().getIdToken()));
            authresult = result.getAuthenticationResult().getIdToken();
        }
    } catch(final Exception ex) {
        System.out.println("Exception" + ex);

    }
    return authresult;
}

Seems I have to challenge the password and set the new password. or something like that. Thank you in advance for your help.

score 1 · Accepted Answer · answered Apr 07 '18 at 17:17

I was struggling for a day, no one responded to this issue. Finally I able resolve this issue (workaround).

In the Cognito user pool I have just disabled the "Generate Client Secret" and every thing started working.

But still it is a question, how I will use the Client Secret which is preferred for production environment?

Most welcome for your suggestion.

AWS Cognito - Target auth state: UNCHALLENGED with AuthFlow USER_SRP_AUTH in Java

Here is my code:

1 Answers1