AWS Cognito Authentication USER_PASSWORD_AUTH flow not enabled for this client

cognito custom auth flow
unable to verify secret hash for client
missing required parameter srp_a
aws::cognito::userpoolclient
aws cognito react
cognito device flow
cognito backend authentication
cognito mfa flow

I have an mobile app with user pool (username & password). The app works fine with aws-amplify sdk. But, wanted to move the code out to Lambdas. So, I have written the following Lambda using Boto3.

Here is Lambda:

import boto3

def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        ClientId='xxxxxxxxxxxxxx',
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

Tried admin_initiate_auth too.

import boto3
def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        UserPoolId='xxxxxxxxx',
        ClientId='xxxxxxxxxxxxxx',
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

Here is the error the I get.

An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client: InvalidParameterException Traceback (most recent call last): File "/var/task/lambda_function.py", line 12, in lambda_handler 'PASSWORD': 'xxxxx' File "/var/runtime/botocore/client.py", line 317, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 615, in _make_api_call raise error_class(parsed_response, operation_name) InvalidParameterException: An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client

Any thoughts?


Figured it. I have goto user pool - > app clients - >show details -> Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH).

That fixed it.

User Pool Authentication Flow - Amazon Cognito, USER_PASSWORD_AUTH : Non-SRP authentication flow; USERNAME and The app client ID. Amazon Cognito does not store the ClientMetadata value. DEVICE_SRP_AUTH : If device tracking was enabled on your user pool and the​  The Amazon Cognito hosted sign-in web page does not support the custom authentication flow. Admin Authentication Flow The APIs described Custom Authentication Flow with the use of SRP for password verification is the recommended approach for authentication.


For me I found that my credentials needed a hmac here is the class in case it is useful to someone.

import boto3
import boto3.session
import hmac, base64, hashlib
from botocore.client import ClientMeta

class AwsAuth(object):
    '''
    classdocs
    '''

    def gettoken(self):
        if self.token:
            return self.token
        else:
            return False

    def connect(self):

        if not self.username:
            self.username = raw_input("Username: ")

        if not self.password:
            self.password = raw_input("Password: ")

        digest = self.gethmacdigest(self.username)

        response = self.client.initiate_auth(
            ClientId=self.clientid,
            AuthFlow='USER_PASSWORD_AUTH',
            AuthParameters={
                'USERNAME': self.username,
                'PASSWORD': self.password,
                'SECRET_HASH': digest
            },
            ClientMetadata={
                'UserPoolId': self.userpoolid
            }
        )
        self.token = response
        return response

    def gethmacdigest(self, username):

        message = username + self.clientid
        dig = hmac.new(self.clientsecret, msg=message.encode('UTF-8'), digestmod=hashlib.sha256).digest()    
        return base64.b64encode(dig).decode()


    def __init__(self, path, url, fileout, filein, userpoolid, clientid, clientsecret, region, username = None, password = None):
        '''
        Constructor
        '''

        #boto3.set_stream_logger('botocore', level="DEBUG")

        self.path = path
        self.url = url
        self.fileout = fileout
        self.filein = filein
        self.userpoolid = userpoolid
        self.clientid = clientid
        self.clientsecret = clientsecret
        self.region = region
        self.token = ""

        boto3.setup_default_session(region_name=region) 

        self.client = boto3.client('cognito-idp')
        if username is not None:
            self.username = username
        else:
            self.username = None
        if password is not None:
            self.password = password
        else:
            self.password = None

InitiateAuth - Amazon Cognito Identity Provider, If you encounter the same problem ("Auth flow not enabled for this client") during your Amazon Cognito integration with AWS Lambda, you can  ALLOW_ADMIN_USER_PASSWORD_AUTH: Enable admin based user password authentication flow ADMIN_USER_PASSWORD_AUTH. This setting replaces the ADMIN_NO_SRP_AUTH setting. With this authentication flow, Cognito receives the password in the request instead of using the SRP (Secure Remote Password protocol) protocol to verify passwords.


I figured it out.Inspite of AuthFlow pass ExplicitAuthFlows then it should work. `

import boto3
def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        UserPoolId='xxxxxxxxx',
        ClientId='xxxxxxxxxxxxxx',
        ExplicitAuthFlows='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

`

Amazon Cognito, OPTIONAL - Manually set the authentication flow type. -741,6 +743,24 @@ Amazon Cognito User Pools support customizing the authentication flow to enable requests using `USER_PASSWORD_AUTH`, your Cognito app client has to be that does not already exist in the user pool signs in or resets their password. ALLOW_ADMIN_USER_PASSWORD_AUTH : Enable admin based user password authentication flow ADMIN_USER_PASSWORD_AUTH . This setting replaces the ADMIN_NO_SRP_AUTH setting. With this authentication flow, Cognito receives the password in the request instead of using the SRP (Secure Remote Password protocol) protocol to verify passwords. ALLOW_CUSTOM


Sign in with USER_PASSWORD_AUTH flow · Issue #1033 · aws , Customer stories → · Security → GitHub is home to over 50 million developers working together to host and it causes the lambda user migration not to be invoked, since Cognito is expecting a USER_PASSWORD_AUTH authentication flow. https://aws.github.io/aws-amplify/api/classes/authclass.html  When using Developer Authenticated Identities (Identity Pools), the client will use a different authflow that will include code outside of Amazon Cognito to validate the user in your own authentication system. Code outside of Amazon Cognito is indicated as such. Enhanced Authflow. Login via Developer Provider (code outside of Amazon Cognito)


cognitoUser.initiateAuth ignores the authentication flow setting , Figured it. I have goto user pool – > app clients – >show details -> Enable username-password (non-SRP) flow for app-based authentication  client app should implement CUSTOM_CHALLENGE authentication flow. ask user to enter registered phone number, pass this in username field. trigger B will understand the request and passes flow to trigger A, Trigger A will generate random code 5. use AWS SNS service to send SMS to user mobile number


Authentication, AWS Amplify Authentication module provides Authentication APIs and Cognito User Pools returns JWT tokens to your app and does not provide If you have previously enabled an Amplify category that uses Auth behind the In order to use the authentication flow USER_PASSWORD_AUTH , your Cognito app client​  An app is an entity within a user pool that has permission to call unauthenticated APIs (APIs that do not have an authenticated user), such as APIs to register, sign in, and handle forgotten passwords. To call these APIs, you need an app client ID and an optional client secret.