[Feature Request] Custom Auth Flow

[athirasubair]

"authenticationFlowType": "CUSTOM_AUTH"

[haverchuck]

@athirasubair Are you using the Cognito Custom Auth Challenge triggers as described here?

[athirasubair]

@haverchuck Yes we are using the same.

[LabN36]

do we have any update on this ? when we change authenticationFlowType to CUSTOM_AUTH it basically throws the error saying username/password is incorrect.

is the Custom_Auth even supported in flutter ?

I've also followed this amplify android link https://docs.amplify.aws/sdk/auth/custom-auth-flow/q/platform/android#custom-authentication-in-amplify it says that

in the app code call signIn with a dummy password. Any custom challenges needs to be answered using the confirmSignIn method as follows:

here what do they mean by dummy password.

[varun-esotec]

Hi! We're experiencing the same. We've setup the lambda triggers as mentioned in the Docs and have updated it our amplifyconfiguration.dart to use CUSTOM_AUTH.

However, it seems like the user always fails to sign in when we use this and we had to then switch back to USER_SRP_AUTH

[b3nni97]

any updates?

[mkdsrt10]

Hi, Any update on this?

[capida]

Hi, I had implemented CUSTOM_AUTH flow for my web app because it is relevant for my use case. Finally we decide to create an android/ios app using flutter, we are almost done, only to find that this flow is not supported yet. Any update? or an alternative while this is implemented?.

[vhlnd]

Hallo Universe, while we wait, here is the manual implementation of custom authentication flow in flutter using Cognito cli REST API,

import 'dart:convert';
import 'package:http/http.dart' as http;

// Trigger Create Auth Challenge, returns Session Token, etc.

 Future<Response> loginWithCustomAuthFlow(String username) async {
   var url = Uri.parse('https://cognito-idp.{YOUR_AWS_REGION}.amazonaws.com/');

   Map<String, dynamic> data = {
     'AuthParameters': { 'USERNAME': username },
     'AuthFlow' : 'CUSTOM_AUTH',
     'ClientId' : '{YOUR_COGNITO_CLIENT_ID}'
   };

   Map<String,String> headers = {
     'Content-Type':'application/x-amz-json-1.1',
     'X-Amz-Target': 'AWSCognitoIdentityProviderService.InitiateAuth'
   };

   return http.post(url, headers: headers, body: jsonEncode(data));
 }

 // Trigger Verify Auth Challenge, returns AuthenticationResult (AccessToken, RefreshToken) etc

 Future<Response> respondToAuthChallenge(String username, String otp, String sessionToken) async {
   var url = Uri.parse('https://cognito-idp.{YOUR_AWS_REGION}.amazonaws.com/');

   Map<String, dynamic> data = {
     'ChallengeResponses': { 'USERNAME': username, 'ANSWER': otp },
     'ChallengeName' : 'CUSTOM_CHALLENGE',
     'ClientId' : '{YOUR_COGNITO_CLIENT_ID}',
     'Session': sessionToken
   };

   Map<String,String> headers = {
     'Content-Type':'application/x-amz-json-1.1',
     'X-Amz-Target': 'AWSCognitoIdentityProviderService.RespondToAuthChallenge'
   };

   return http.post(url, headers: headers, body: jsonEncode(data));
 }

[ayoVodafone]

Hi,
The link:

https://docs.amplify.aws/lib/auth/signin_with_custom_flow/q/platform/android/

says:

Android is not supported on this page. Please select one of the following:

does that mean we can't implement a custom sign-in flow out of the box with amplify?

[juanrequeijo]

Hi! We are still having problem with confirmSignIn:

underlyingException:"java.lang.IllegalStateException: confirmSignIn called after signIn has succeeded"

Using javascript => Auth.sendCustomChallengeAnswer(this.auth.user, this.token) function works perfectly. Already using confirmSignIn gives this error.

Can anyone help us?

[juanrequeijo]

Does anyone have a workaround?

[juanrequeijo]

Hi @dnys1

Six months ago the lib didn't support this custom flow:
#276

Still not working?

[dnys1]

@juanrequeijo - custom auth is currently still unsupported. However, it has been prioritized for a future release. There are currently no workarounds at the moment outside of the ones mentioned in this thread.

[arunwij]

Hallo Universe, while we wait, here is the manual implementation of custom authentication flow in flutter using Cognito cli REST API,

import 'dart:convert';
import 'package:http/http.dart' as http;

// Trigger Create Auth Challenge, returns Session Token, etc.

 Future<Response> loginWithCustomAuthFlow(String username) async {
   var url = Uri.parse('https://cognito-idp.{YOUR_AWS_REGION}.amazonaws.com/');

   Map<String, dynamic> data = {
     'AuthParameters': { 'USERNAME': username },
     'AuthFlow' : 'CUSTOM_AUTH',
     'ClientId' : '{YOUR_COGNITO_CLIENT_ID}'
   };

   Map<String,String> headers = {
     'Content-Type':'application/x-amz-json-1.1',
     'X-Amz-Target': 'AWSCognitoIdentityProviderService.InitiateAuth'
   };

   return http.post(url, headers: headers, body: jsonEncode(data));
 }

 // Trigger Verify Auth Challenge, returns AuthenticationResult (AccessToken, RefreshToken) etc

 Future<Response> respondToAuthChallenge(String username, String otp, String sessionToken) async {
   var url = Uri.parse('https://cognito-idp.{YOUR_AWS_REGION}.amazonaws.com/');

   Map<String, dynamic> data = {
     'ChallengeResponses': { 'USERNAME': username, 'ANSWER': otp },
     'ChallengeName' : 'CUSTOM_CHALLENGE',
     'ClientId' : '{YOUR_COGNITO_CLIENT_ID}',
     'Session': sessionToken
   };

   Map<String,String> headers = {
     'Content-Type':'application/x-amz-json-1.1',
     'X-Amz-Target': 'AWSCognitoIdentityProviderService.RespondToAuthChallenge'
   };

   return http.post(url, headers: headers, body: jsonEncode(data));
 }

If I authenticate the user with Cognito REST API, can I still use amplify client library to handle other API calls?

[vhlnd]

Hi Folks, I'm strugging implementing a sign up using only the phone number. The following quote is only about signing in.

Hallo Universe, while we wait, here is the manual implementation of custom authentication flow in flutter using Cognito cli REST API,

import 'dart:convert';
import 'package:http/http.dart' as http;

// Trigger Create Auth Challenge, returns Session Token, etc.

 Future<Response> loginWithCustomAuthFlow(String username) async {
   var url = Uri.parse('https://cognito-idp.{YOUR_AWS_REGION}.amazonaws.com/');

   Map<String, dynamic> data = {
     'AuthParameters': { 'USERNAME': username },
     'AuthFlow' : 'CUSTOM_AUTH',
     'ClientId' : '{YOUR_COGNITO_CLIENT_ID}'
   };

   Map<String,String> headers = {
     'Content-Type':'application/x-amz-json-1.1',
     'X-Amz-Target': 'AWSCognitoIdentityProviderService.InitiateAuth'
   };

   return http.post(url, headers: headers, body: jsonEncode(data));
 }

 // Trigger Verify Auth Challenge, returns AuthenticationResult (AccessToken, RefreshToken) etc

 Future<Response> respondToAuthChallenge(String username, String otp, String sessionToken) async {
   var url = Uri.parse('https://cognito-idp.{YOUR_AWS_REGION}.amazonaws.com/');

   Map<String, dynamic> data = {
     'ChallengeResponses': { 'USERNAME': username, 'ANSWER': otp },
     'ChallengeName' : 'CUSTOM_CHALLENGE',
     'ClientId' : '{YOUR_COGNITO_CLIENT_ID}',
     'Session': sessionToken
   };

   Map<String,String> headers = {
     'Content-Type':'application/x-amz-json-1.1',
     'X-Amz-Target': 'AWSCognitoIdentityProviderService.RespondToAuthChallenge'
   };

   return http.post(url, headers: headers, body: jsonEncode(data));
 }

I found this method https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/sign-up.html.

So what I understand is that I could use Amplify to create a user, then using cognito API to log in my user. No idea how nor how I should configure my pool for that purpose.

Any idea / help / tuto ?

Thanks

Hi, @Simon-PumpAndUp, maybe this might help, here is a link to a guide on how to setup backend for phone/sms password-less authentication: https://itnext.io/passwordless-sms-authentication-backend-9932391c49dc
So for example with the code above, once the backend has been setup, to sign up a user its the same as sign in, since its password-less, only need an email or phone Number to receive OTP, you can then maybe add extra logic push extra user information to Cognito once the OTP Challenge succeed.

[Simon-PumpAndUp]

If I authenticate the user with Cognito REST API, can I still use amplify client library to handle other API calls?

Yes! Here is how I did this:

Create a user using this endpoint. Keep the password.

After you verified your user with the OTP, log it out.

Then use Amplify.Auth and the password you used for the user and voila.

Not sure how to use the admin* endpoints. For when the user logs in and is not creating an account, you have to retrieve the password or create a new one using this endpoint. Not figured it out yet

[dnys1]

Thanks for your patience bringing this feature to Amplify Flutter. It has been released in v0.5.0

Custom Auth flows are now available with passwordless logins. To support this change, the password attribute is now optional in the Auth.signIn API. While this should not prove breaking in most cases, we are calling it out since it alters a very commonly used API.

How to Migrate:

Pass null to the Auth.signIn API only for passwordless login, using Cognito Custom Auth flows

[Jordan-Nelson]

Docs: https://docs.amplify.aws/lib/auth/signin_with_custom_flow/q/platform/flutter/

[dagovalsusa]

Hello everyone,
I've tried to implement Custom Auth Flow with passwordless login using v0.6.10 of amplify_flutter, but when I call Amplify.Auth.signIn('username') the response is "Cannot issue tokens when ChallengeName is SRP_A".
My Cognito is set right because we have used it in production for 2 years, and without amplify_flutter lib, it works.
Further with amplify_flutter v1.0.0-next1 the method Amplify.Auth.signIn('username') works perfectly.
So, I think that in version 0.6.x there is a bug for the CUSTOM_AUTH flow.

Here my amplifyconfiguration, my piece of code is equal to the tutorial example.

const amplifyconfig = ''' { "UserAgent": "aws-amplify-cli/2.0", "Version": "1.0", "auth": { "plugins": { "awsCognitoAuthPlugin": { "IdentityManager": { "Default": {} }, "CognitoUserPool": { "Default": { "PoolId": "us-east-1_xxxxxxx", "AppClientId": "xxxxxxxxxxxxxxxx", "Region": "us-east-1" } }, "Auth": { "Default": { "authenticationFlowType": "CUSTOM_AUTH", "OAuth": { "WebDomain": "xxxxxxx", "AppClientId": "xxxxxxxxxxxxxxxxx", "SignInRedirectURI": "xxx://", "SignOutRedirectURI": "xxx://", "Scopes": [ "phone", "email", "openid", "profile", "aws.cognito.signin.user.admin" ] } } } } } } }''';

[Simon-PumpAndUp]

Hey @dagovalsusa, try replacing with the following:
"authenticationFlowType": "USER_SRP_AUTH | USER_PASSWORD_AUTH | CUSTOM_AUTH",

Also make sure to call the signing in method with the option param:

Amplify.Auth.signIn(
        username: 'xxx',
        password: 'xxx',
        options: CognitoSignInOptions(authFlowType: AuthenticationFlowType.userSrpAuth),
      );

[dagovalsusa]

Hey @dagovalsusa, try replacing with the following: "authenticationFlowType": "USER_SRP_AUTH | USER_PASSWORD_AUTH | CUSTOM_AUTH",

Also make sure to call the signing in method with the option param:

Amplify.Auth.signIn(
        username: 'xxx',
        password: 'xxx',
        options: CognitoSignInOptions(authFlowType: AuthenticationFlowType.userSrpAuth),
      );

I tried replacing
"authenticationFlowType": "USER_SRP_AUTH | USER_PASSWORD_AUTH | CUSTOM_AUTH",

And add options param to signIn method (but my password is null because is passwordless)

      SignInResult result = await Amplify.Auth.signIn(username: email, password: null, options: CognitoSignInOptions(authFlowType: AuthenticationFlowType.customAuth));
      );

But not works, the response is

LambdaException(message: Cannot issue tokens when ChallengeName is SRP_A, recoverySuggestion: Make sure that the lambda configuration is correct, underlyingException: The operation couldn’t be completed. (AmplifyPlugins.AWSCognitoAuthError error 16.

[Simon-PumpAndUp]

And add options param to signIn method (but my password is null because is passwordless)

Ha nevermind, then your config is ok then using only "CUSTOM_AUTH"
Also check this doc: https://docs.amplify.aws/lib/auth/signin_with_custom_flow/q/platform/flutter/#configure-auth-category

I think the bottom line is: a cognito user must have a password