implementing USER_SRP_AUTH with python boto3 for AWS Cognito

Question

Amazon provides iOS, Android, and Javascript Cognito SDKs that offer a high-level authenticate-user operation.

For example, see Use Case 4 here:

https://gith

Answer 1

There are many errors in your implementation. For example:

1. pysrp uses SHA1 algorithm by default. It should be set to SHA256.
2. _ng_const length should be 3072 bits and it should be copied from amazon-cognito-identity-js
3. There is no hkdf function in pysrp.
4. The response should contain secret_block_b64, not secret_block_hex.
5. Wrong timestamp format. %H:%m:%S means "hour:month:second" and +0000 should be replaced by UTC.

Has anyone gotten this working?

Yes. It's implemented in the warrant.aws_srp module. https://github.com/capless/warrant/blob/develop/warrant/aws_srp.py

from warrant.aws_srp import AWSSRP


USERNAME='xxx'
PASSWORD='yyy'
POOL_ID='us-east-1_zzzzz'
CLIENT_ID = '12xxxxxxxxxxxxxxxxxxxxxxx'

aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID,
             client_id=CLIENT_ID)
tokens = aws.authenticate_user()
id_token = tokens['AuthenticationResult']['IdToken']
refresh_token = tokens['AuthenticationResult']['RefreshToken']
access_token = tokens['AuthenticationResult']['AccessToken']
token_type = tokens['AuthenticationResult']['TokenType']

Note, that aws_srp module was not merged into master branch yet.

authenticate_user method supports only PASSWORD_VERIFIER challenge. If you want to respond to other challenges, just look into the authenticate_user and boto3 documentation.