admin-initiate-auth with AWS CLI on a Cognito App-client with a secret
up vote
0
down vote
favorite
I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html
I should be able to do it by passing the App secret, like this:
(broken up for formatting, I'm entering it as a full line)
aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile
I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.
However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx
What could I be doing wrong?
amazon-web-services amazon-cognito aws-cli
add a comment |
up vote
0
down vote
favorite
I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html
I should be able to do it by passing the App secret, like this:
(broken up for formatting, I'm entering it as a full line)
aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile
I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.
However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx
What could I be doing wrong?
amazon-web-services amazon-cognito aws-cli
What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
– Deepthi
Nov 22 at 10:35
No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
– Pablo Barría Urenda
Nov 22 at 16:30
Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
– Deepthi
Nov 23 at 9:28
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html
I should be able to do it by passing the App secret, like this:
(broken up for formatting, I'm entering it as a full line)
aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile
I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.
However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx
What could I be doing wrong?
amazon-web-services amazon-cognito aws-cli
I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html
I should be able to do it by passing the App secret, like this:
(broken up for formatting, I'm entering it as a full line)
aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile
I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.
However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx
What could I be doing wrong?
amazon-web-services amazon-cognito aws-cli
amazon-web-services amazon-cognito aws-cli
asked Nov 21 at 13:26
Pablo Barría Urenda
2,00041020
2,00041020
What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
– Deepthi
Nov 22 at 10:35
No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
– Pablo Barría Urenda
Nov 22 at 16:30
Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
– Deepthi
Nov 23 at 9:28
add a comment |
What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
– Deepthi
Nov 22 at 10:35
No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
– Pablo Barría Urenda
Nov 22 at 16:30
Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
– Deepthi
Nov 23 at 9:28
What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
– Deepthi
Nov 22 at 10:35
What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
– Deepthi
Nov 22 at 10:35
No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
– Pablo Barría Urenda
Nov 22 at 16:30
No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
– Pablo Barría Urenda
Nov 22 at 16:30
Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
– Deepthi
Nov 23 at 9:28
Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
– Deepthi
Nov 23 at 9:28
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
Compute your SECRET_HASH as follows:
Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
)
Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Compute your SECRET_HASH as follows:
Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
)
Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
add a comment |
up vote
1
down vote
Compute your SECRET_HASH as follows:
Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
)
Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
add a comment |
up vote
1
down vote
up vote
1
down vote
Compute your SECRET_HASH as follows:
Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
)
Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
Compute your SECRET_HASH as follows:
Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
)
Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
answered Nov 23 at 9:29
Deepthi
936
936
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413080%2fadmin-initiate-auth-with-aws-cli-on-a-cognito-app-client-with-a-secret%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
– Deepthi
Nov 22 at 10:35
No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
– Pablo Barría Urenda
Nov 22 at 16:30
Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
– Deepthi
Nov 23 at 9:28