implementing USER_SRP_AUTH with python boto3 for AWS Cognito

python amazon-web-services amazon-cognito boto3 srp-protocol
billc picture billc · Jan 7, 2017 · Viewed 6.9k times · Source

Amazon provides iOS, Android, and Javascript Cognito SDKs that offer a high-level authenticate-user operation.

For example, see Use Case 4 here:

https://github.com/aws/amazon-cognito-identity-js

However, if you are using python/boto3, all you get are a pair of primitives: cognito.initiate_auth and cognito.respond_to_auth_challenge.

I am trying to use these primitives along with the pysrp lib authenticate with the USER_SRP_AUTH flow, but what I have is not working.

It always fails with "An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Incorrect username or password." (The username/password pair work find with the JS SDK.)

My suspicion is I'm constructing the challenge response wrong (step 3), and/or passing Congito hex strings when it wants base64 or vice versa.

Has anyone gotten this working? Anyone see what I'm doing wrong?

I am trying to copy the behavior of the authenticateUser call found in the Javascript SDK:

https://github.com/aws/amazon-cognito-identity-js/blob/master/src/CognitoUser.js#L138

but I'm doing something wrong and can't figure out what.

#!/usr/bin/env python
import base64
import binascii
import boto3
import datetime as dt
import hashlib
import hmac

# http://pythonhosted.org/srp/
# https://github.com/cocagne/pysrp
import srp

bytes_to_hex = lambda x: "".join("{:02x}".format(ord(c)) for c in x)

cognito = boto3.client('cognito-idp', region_name="us-east-1")

username = "[email protected]"
password = "123456"

user_pool_id = u"us-east-1_XXXXXXXXX"
client_id = u"XXXXXXXXXXXXXXXXXXXXXXXXXX"

# Step 1:
# Use SRP lib to construct a SRP_A value.

srp_user = srp.User(username, password)
_, srp_a_bytes = srp_user.start_authentication()

srp_a_hex = bytes_to_hex(srp_a_bytes)

# Step 2:
# Submit USERNAME & SRP_A to Cognito, get challenge.

response = cognito.initiate_auth(
    AuthFlow='USER_SRP_AUTH',
    AuthParameters={ 'USERNAME': username, 'SRP_A': srp_a_hex },
    ClientId=client_id,
    ClientMetadata={ 'UserPoolId': user_pool_id })

# Step 3:
# Use challenge parameters from Cognito to construct 
# challenge response.

salt_hex         = response['ChallengeParameters']['SALT']
srp_b_hex        = response['ChallengeParameters']['SRP_B']
secret_block_b64 = response['ChallengeParameters']['SECRET_BLOCK']

secret_block_bytes = base64.standard_b64decode(secret_block_b64)
secret_block_hex = bytes_to_hex(secret_block_bytes)

salt_bytes = binascii.unhexlify(salt_hex)
srp_b_bytes = binascii.unhexlify(srp_b_hex)

process_challenge_bytes = srp_user.process_challenge(salt_bytes,                          
                                                     srp_b_bytes)

timestamp = unicode(dt.datetime.utcnow().strftime("%a %b %d %H:%m:%S +0000 %Y"))

hmac_obj = hmac.new(process_challenge_bytes, digestmod=hashlib.sha256)
hmac_obj.update(user_pool_id.split('_')[1].encode('utf-8'))
hmac_obj.update(username.encode('utf-8'))
hmac_obj.update(secret_block_bytes)
hmac_obj.update(timestamp.encode('utf-8'))

challenge_responses = {
    "TIMESTAMP": timestamp.encode('utf-8'),
    "USERNAME": username.encode('utf-8'),
    "PASSWORD_CLAIM_SECRET_BLOCK": secret_block_hex,
    "PASSWORD_CLAIM_SIGNATURE": hmac_obj.hexdigest()
}

# Step 4:
# Submit challenge response to Cognito.

response = cognito.respond_to_auth_challenge(
    ClientId=client_id,
    ChallengeName='PASSWORD_VERIFIER',
    ChallengeResponses=challenge_responses)

Answer

armicron picture armicron · Mar 27, 2017

There are many errors in your implementation. For example:

  1. pysrp uses SHA1 algorithm by default. It should be set to SHA256.
  2. _ng_const length should be 3072 bits and it should be copied from amazon-cognito-identity-js
  3. There is no hkdf function in pysrp.
  4. The response should contain secret_block_b64, not secret_block_hex.
  5. Wrong timestamp format. %H:%m:%S means "hour:month:second" and +0000 should be replaced by UTC.

Has anyone gotten this working?

Yes. It's implemented in the warrant.aws_srp module. https://github.com/capless/warrant/blob/develop/warrant/aws_srp.py

from warrant.aws_srp import AWSSRP


USERNAME='xxx'
PASSWORD='yyy'
POOL_ID='us-east-1_zzzzz'
CLIENT_ID = '12xxxxxxxxxxxxxxxxxxxxxxx'

aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID,
             client_id=CLIENT_ID)
tokens = aws.authenticate_user()
id_token = tokens['AuthenticationResult']['IdToken']
refresh_token = tokens['AuthenticationResult']['RefreshToken']
access_token = tokens['AuthenticationResult']['AccessToken']
token_type = tokens['AuthenticationResult']['TokenType']

Note, that aws_srp module was not merged into master branch yet.

authenticate_user method supports only PASSWORD_VERIFIER challenge. If you want to respond to other challenges, just look into the authenticate_user and boto3 documentation.

Related questions

AWS Cognito as Django authentication back-end for web site

My reading of Cognito is that it can be used in place of a local Django admin database to authenticate users of a website. However I am not finding any soup-to-nuts examples of a basic "Hello, World" app with a …

Read More
How to write a file or data to an S3 object using boto3

In boto 2, you can write to an S3 object using these methods: Key.set_contents_from_string() Key.set_contents_from_file() Key.set_contents_from_filename() Key.set_contents_from_stream() Is there a boto 3 equivalent? What is the …

Read More
How to upload a file to directory in S3 bucket using boto

I want to copy a file in s3 bucket using python. Ex : I have bucket name = test. And in the bucket, I have 2 folders name "dump" & "input". Now I want to copy a file from local directory to S3 "…

Read More