Couldn't generate correct PASSWORD_CLAIM_SIGNATURE in PHP for Cognito

Question

I am trying to use AuthFlow USER_SRP_AUTH for user login. I am getting the "PASSWORD_VERIFIER" challenge in the response of initiateAuth request. While responding to that challenge I am not sure what I should pass as the value of PASSWORD_CLAIM_SIGNATURE. I have tried different values as per documentation and java code but no success.

I'm using the code below for the respondToAuthChallenge method:

$date = date('D M d H:i:s T Y');

$srp = new Srp();
$a = $srp->getRandomSeed();
$A = $srp->generateA($a);

$challengeParameters = $result->get('ChallengeParameters');

$s = $srp->getRandomSeed();
$x = $srp->generateX($s, 'MY_USERNAME', 'MY_PASSWORD');
$S = $srp->generateS_Client($A, $challengeParameters['SRP_B'], $a, $x);
$K = $srp->generateK($S);

$response = $client->respondToAuthChallenge([
    'ChallengeName'      => 'PASSWORD_VERIFIER',
    'ClientId'           => 'CLIENT_ID',
    'ChallengeResponses' => [
        'TIMESTAMP'                   => $date,
        'USERNAME'                    => $challengeParameters['USER_ID_FOR_SRP'],
        'PASSWORD_CLAIM_SECRET_BLOCK' => $challengeParameters['SECRET_BLOCK'],
        'PASSWORD_CLAIM_SIGNATURE'    => hash_hmac('sha256', $K, $challengeParameters['SALT'])
    ]
]);

I have used this PHP SRP Client: https://github.com/falkmueller/srp/

In the response of respondToAuthChallenge request, I am getting this error

400 Bad Request` response:
{"__type":"NotAuthorizedException","message":"Incorrect username or password."}

Most likely this error caused by an incorrect PASSWORD_CLAIM_SIGNATURE. Since I haven't really found what this key should contain as a value and just tried some things based on documentation and java code I've found.

Jenky posted this comment on github. https://github.com/aws/aws-sdk-php/issues/1979#issuecomment-750739222 This may help — Vivek Pipaliya, Dec 28 '20 at 13:38

score 1 · Answer 1 · edited Nov 25 '20 at 09:26

1

the value PASSWORD_CLAIM_SIGNATURE is based off does not seem to be documented anywhere, but looking in some of the AWS source code I derived it.

concatenate the following into one string:

the cognito user pool id, without the region
USER_ID_FOR_SRP from the previous call
SECRET_BLOCK from the previous call
TIMESTAMP

then do hmac sha 256 on that string.

Note that the TIMESTAMP has a format (also undocumented):

TIMESTAMP format should be EEE MMM d HH:mm:ss z yyyy in english.

source: line 299 of this file

edited Nov 25 '20 at 09:26

Vivek Pipaliya

488
1
7
17

answered Nov 24 '20 at 10:50

Ravenscar

2,730
19
18

where password is added? – wpater Nov 24 '20 at 18:34
1

you don't need to explicitly send the password. The password is used in the setup @wpater part of SRP (look in the question's script above, the line with `generateX`). You only need to use SRP if you want to avoid sending the password (although I am using it as cognito device tracking does not work with USER_PASSWORD_AUTH, preventing the use of the refresh token) – Ravenscar Nov 25 '20 at 00:41

Couldn't generate correct PASSWORD_CLAIM_SIGNATURE in PHP for Cognito

1 Answers1