AWS Cognito Authentication USER_PASSWORD_AUTH flow not enabled for this client

Asked 27/2, 2018 at 3:33 Answered 6/5, 2023 at 8:41

python amazon-web-services boto3 amazon-cognito

I have an mobile app with user pool (username & password). The app works fine with aws-amplify sdk. But, wanted to move the code out to Lambdas. So, I have written the following Lambda using Boto3.

Here is Lambda:

import boto3

def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        ClientId='xxxxxxxxxxxxxx',
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

Tried admin_initiate_auth too.

import boto3
def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        UserPoolId='xxxxxxxxx',
        ClientId='xxxxxxxxxxxxxx',
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

Here is the error the I get.

An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client: InvalidParameterException Traceback (most recent call last):
File "/var/task/lambda_function.py", line 12, in lambda_handler 'PASSWORD': 'xxxxx' File "/var/runtime/botocore/client.py", line 317, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 615, in _make_api_call raise error_class(parsed_response, operation_name) InvalidParameterException: An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client

Any thoughts?

Spotweld answered 27/2, 2018 at 3:33 Comment(0)

120

Figured it. I have goto user pool - > app clients - >show details -> Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH).

That fixed it.

Spotweld answered 27/2, 2018 at 3:40 Comment(7)

I was having the same issue and your question appeared on the first page of search. It resolves my prob. Thanks! – Hamish 26/4, 2018 at 3:1

I'm getting "Initiate Auth method not supported.", tried with boto3==1.7.30 and awscli==1.16.3, which versions worked for you? – Contrarily 29/8, 2018 at 8:5

for AWS CDK you need to provide enabledAuthFlows: [AuthFlow.USER_PASSWORD] in appClient Construct. – Stearoptene 18/12, 2019 at 16:36

Perhaps this has moved. It is now under Your User Pools -> (the user pool) -> General Settings -> App Clients -> Show Details -> Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH) It is NOT under App Integration -> App Client Settings – Florance 7/6, 2020 at 17:46

if someone is interested in more secure way, check this https://mcmap.net/q/297426/-implementing-user_srp_auth-with-python-boto3-for-aws-cognito – Instructor 23/12, 2021 at 12:57

In the continual searching for the correct setting in the dashboard, it now appears to be Your User Pools -> (the user pool) -> App Integration -> App Client List -> (the app client name) -> App Client Information -> Edit -> Authentication flows -> Select authentication flows -> ALLOW_ USER_PASSWORD_AUTH – Orthotropous 22/9, 2022 at 14:50

Thaks for providing the answer! :-) – Clog 13/1 at 11:42

Figured it. I have goto user pool - > app clients - >show details -> Enable username password auth for admin APIs for authentication (ALLOW_ADMIN_USER_PASSWORD_AUTH).

Dad answered 4/9, 2020 at 0:53 Comment(3)

First choice in the "Auth Flows Configuration" section: imgur.com/a/9G4WkN1 – Fishbolt 3/12, 2020 at 23:24

Any idea how to set this flag programatically in Amplify? – Valise 28/7, 2021 at 1:34

Not, have you checked the Amplify Documentation? – Dad 3/8, 2021 at 18:12

For me I found that my credentials needed a hmac here is the class in case it is useful to someone.

import boto3
import boto3.session
import hmac, base64, hashlib
from botocore.client import ClientMeta

class AwsAuth(object):
    '''
    classdocs
    '''

    def gettoken(self):
        if self.token:
            return self.token
        else:
            return False

    def connect(self):

        if not self.username:
            self.username = raw_input("Username: ")

        if not self.password:
            self.password = raw_input("Password: ")

        digest = self.gethmacdigest(self.username)

        response = self.client.initiate_auth(
            ClientId=self.clientid,
            AuthFlow='USER_PASSWORD_AUTH',
            AuthParameters={
                'USERNAME': self.username,
                'PASSWORD': self.password,
                'SECRET_HASH': digest
            },
            ClientMetadata={
                'UserPoolId': self.userpoolid
            }
        )
        self.token = response
        return response

    def gethmacdigest(self, username):

        message = username + self.clientid
        dig = hmac.new(self.clientsecret, msg=message.encode('UTF-8'), digestmod=hashlib.sha256).digest()    
        return base64.b64encode(dig).decode()


    def __init__(self, path, url, fileout, filein, userpoolid, clientid, clientsecret, region, username = None, password = None):
        '''
        Constructor
        '''

        #boto3.set_stream_logger('botocore', level="DEBUG")

        self.path = path
        self.url = url
        self.fileout = fileout
        self.filein = filein
        self.userpoolid = userpoolid
        self.clientid = clientid
        self.clientsecret = clientsecret
        self.region = region
        self.token = ""

        boto3.setup_default_session(region_name=region) 

        self.client = boto3.client('cognito-idp')
        if username is not None:
            self.username = username
        else:
            self.username = None
        if password is not None:
            self.password = password
        else:
            self.password = None

Jurassic answered 3/10, 2018 at 16:12 Comment(0)

A picture is worth a thousand words

Go to the Cognito Service

Then, select the app client

Finally, edit the authentication workflows

Seften answered 8/2, 2023 at 14:22 Comment(0)

Go to the Cognito Service

Then, select the app client

Click Edit , And Select USER_PASSWORD_AUTH

After That I have tried to login & Got Successful Response :

Cardoza answered 6/5, 2023 at 8:41 Comment(0)

Figured it out after many attempts . Here is my solution

Go to Cognito from AWS console
Then click on the desired pool for which you are facing the error \
Now click on the App Clients option on the left panel . It will show you available clients
Click on Show Details for your desired app client. And then in the Auth Flows Configuration section make sure Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH) is checked.

For more details on the API refer to this link InitiateAuth

Frodi answered 9/11, 2022 at 4:56 Comment(0)

-1

I figured it out.Inspite of AuthFlow pass ExplicitAuthFlows then it should work. `

import boto3
def lambda_handler(event, context):
    client = boto3.client('cognito-idp')
    response = client.initiate_auth(
        UserPoolId='xxxxxxxxx',
        ClientId='xxxxxxxxxxxxxx',
        ExplicitAuthFlows='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': 'xxxxxx',
            'PASSWORD': 'xxxxxx'
        }
    )
    return response

Metrical answered 4/12, 2018 at 7:6 Comment(2)

But AuthFlow is a REQUIRED parameter. – Farfetched 13/6, 2019 at 9:1

Yeah it is a required parameter. ExplicitAuthFlows is actually calling AuthFlow only. – Metrical 26/6, 2019 at 5:18

Recommended topics

Hot tags