admin-initiate-auth with AWS CLI on a Cognito App-client with a secret











up vote
0
down vote

favorite












I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:



https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html



I should be able to do it by passing the App secret, like this:



(broken up for formatting, I'm entering it as a full line)



aws cognito-idp admin-initiate-auth 
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile


I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.



However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx



What could I be doing wrong?










share|improve this question






















  • What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
    – Deepthi
    Nov 22 at 10:35










  • No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
    – Pablo Barría Urenda
    Nov 22 at 16:30










  • Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
    – Deepthi
    Nov 23 at 9:28















up vote
0
down vote

favorite












I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:



https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html



I should be able to do it by passing the App secret, like this:



(broken up for formatting, I'm entering it as a full line)



aws cognito-idp admin-initiate-auth 
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile


I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.



However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx



What could I be doing wrong?










share|improve this question






















  • What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
    – Deepthi
    Nov 22 at 10:35










  • No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
    – Pablo Barría Urenda
    Nov 22 at 16:30










  • Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
    – Deepthi
    Nov 23 at 9:28













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:



https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html



I should be able to do it by passing the App secret, like this:



(broken up for formatting, I'm entering it as a full line)



aws cognito-idp admin-initiate-auth 
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile


I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.



However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx



What could I be doing wrong?










share|improve this question













I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:



https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html



I should be able to do it by passing the App secret, like this:



(broken up for formatting, I'm entering it as a full line)



aws cognito-idp admin-initiate-auth 
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile


I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.



However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx



What could I be doing wrong?







amazon-web-services amazon-cognito aws-cli






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 21 at 13:26









Pablo Barría Urenda

2,00041020




2,00041020












  • What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
    – Deepthi
    Nov 22 at 10:35










  • No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
    – Pablo Barría Urenda
    Nov 22 at 16:30










  • Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
    – Deepthi
    Nov 23 at 9:28


















  • What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
    – Deepthi
    Nov 22 at 10:35










  • No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
    – Pablo Barría Urenda
    Nov 22 at 16:30










  • Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
    – Deepthi
    Nov 23 at 9:28
















What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
– Deepthi
Nov 22 at 10:35




What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.
– Deepthi
Nov 22 at 10:35












No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
– Pablo Barría Urenda
Nov 22 at 16:30




No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?
– Pablo Barría Urenda
Nov 22 at 16:30












Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
– Deepthi
Nov 23 at 9:28




Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…
– Deepthi
Nov 23 at 9:28












1 Answer
1






active

oldest

votes

















up vote
1
down vote













Compute your SECRET_HASH as follows:




Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
)




Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash






share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413080%2fadmin-initiate-auth-with-aws-cli-on-a-cognito-app-client-with-a-secret%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    Compute your SECRET_HASH as follows:




    Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
    )




    Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash






    share|improve this answer

























      up vote
      1
      down vote













      Compute your SECRET_HASH as follows:




      Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
      )




      Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash






      share|improve this answer























        up vote
        1
        down vote










        up vote
        1
        down vote









        Compute your SECRET_HASH as follows:




        Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
        )




        Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash






        share|improve this answer












        Compute your SECRET_HASH as follows:




        Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
        )




        Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 23 at 9:29









        Deepthi

        936




        936






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413080%2fadmin-initiate-auth-with-aws-cli-on-a-cognito-app-client-with-a-secret%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

            Calculate evaluation metrics using cross_val_predict sklearn

            Insert data from modal to MySQL (multiple modal on website)