Amazon提供iOS,Android和Javascript Cognito SDK,可提供高级身份验证用户操作。对AWS Cognito使用python boto3实现USER_SRP_AUTH
例如,请参阅使用案例4浏览:
https://github.com/aws/amazon-cognito-identity-js
但是,如果你正在使用python/boto3,你所得到的是一对原语:cognito.initiate_auth
和cognito.respond_to_auth_challenge
。
我想使用这些原语连同pysrp
lib与USER_SRP_AUTH
流验证,但我有什么不工作。
它在调用RespondToAuthChallenge操作时发生错误(NotAuthorizedException)时总是失败:不正确的用户名或密码。“ (使用JS SDK可以找到用户名/密码对)
我怀疑我构建了挑战响应错误(步骤3),并且/或者在想要base64时传递Congito十六进制字符串,反之亦然。
有没有人得到这个工作?任何人看到我做错了什么?
我试图复制在使用Javascript SDK中发现的authenticateUser
调用的行为:
https://github.com/aws/amazon-cognito-identity-js/blob/master/src/CognitoUser.js#L138
,但我做错了什么,不能弄清楚什么。
#!/usr/bin/env python
import base64
import binascii
import boto3
import datetime as dt
import hashlib
import hmac
# http://pythonhosted.org/srp/
# https://github.com/cocagne/pysrp
import srp
bytes_to_hex = lambda x: "".join("{:02x}".format(ord(c)) for c in x)
cognito = boto3.client('cognito-idp', region_name="us-east-1")
username = "[email protected]"
password = "123456"
user_pool_id = u"us-east-1_XXXXXXXXX"
client_id = u"XXXXXXXXXXXXXXXXXXXXXXXXXX"
# Step 1:
# Use SRP lib to construct a SRP_A value.
srp_user = srp.User(username, password)
_, srp_a_bytes = srp_user.start_authentication()
srp_a_hex = bytes_to_hex(srp_a_bytes)
# Step 2:
# Submit USERNAME & SRP_A to Cognito, get challenge.
response = cognito.initiate_auth(
AuthFlow='USER_SRP_AUTH',
AuthParameters={ 'USERNAME': username, 'SRP_A': srp_a_hex },
ClientId=client_id,
ClientMetadata={ 'UserPoolId': user_pool_id })
# Step 3:
# Use challenge parameters from Cognito to construct
# challenge response.
salt_hex = response['ChallengeParameters']['SALT']
srp_b_hex = response['ChallengeParameters']['SRP_B']
secret_block_b64 = response['ChallengeParameters']['SECRET_BLOCK']
secret_block_bytes = base64.standard_b64decode(secret_block_b64)
secret_block_hex = bytes_to_hex(secret_block_bytes)
salt_bytes = binascii.unhexlify(salt_hex)
srp_b_bytes = binascii.unhexlify(srp_b_hex)
process_challenge_bytes = srp_user.process_challenge(salt_bytes,
srp_b_bytes)
timestamp = unicode(dt.datetime.utcnow().strftime("%a %b %d %H:%m:%S +0000 %Y"))
hmac_obj = hmac.new(process_challenge_bytes, digestmod=hashlib.sha256)
hmac_obj.update(user_pool_id.split('_')[1].encode('utf-8'))
hmac_obj.update(username.encode('utf-8'))
hmac_obj.update(secret_block_bytes)
hmac_obj.update(timestamp.encode('utf-8'))
challenge_responses = {
"TIMESTAMP": timestamp.encode('utf-8'),
"USERNAME": username.encode('utf-8'),
"PASSWORD_CLAIM_SECRET_BLOCK": secret_block_hex,
"PASSWORD_CLAIM_SIGNATURE": hmac_obj.hexdigest()
}
# Step 4:
# Submit challenge response to Cognito.
response = cognito.respond_to_auth_challenge(
ClientId=client_id,
ChallengeName='PASSWORD_VERIFIER',
ChallengeResponses=challenge_responses)
你有没有得到这个工作?我在我的项目中正在做同样的事情。 – man2xxl
不,我对它进一步加以强调,但目前还没有运气。作为解决办法,我已经建立了一个自定义授权lambda('DefineAuthChallenge'),它总是授权用户:'exports.handler = function(event,context){event.response.issueTokens = true; event.response.failAuthentication = false; context.done(null,event);}'。这是我现在需要的,因为我只是在构建原型。但我希望最终能够实现这一目标。 – billc
man2xxl,结帐armicron的答案在下面。 – billc