admin-initiate-auth with AWS CLI on a Cognito App-client with a secret












0















I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:



https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html



I should be able to do it by passing the App secret, like this:



(broken up for formatting, I'm entering it as a full line)



aws cognito-idp admin-initiate-auth 

    --user-pool-id us-east-1_xxxxxxxx 

    --region=us-east-1 

    --client-id xxxxxxxxxxxxxxxxxxxxx

    --auth-flow ADMIN_NO_SRP_AUTH

    --auth-parameters

        USERNAME=TestUser

        PASSWORD='Test_Password'

        SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 

    --profile AwsProfile


I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.



However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx



What could I be doing wrong?






amazon-web-services amazon-cognito aws-cli







share|improve this question























  • What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.

    – Deepthi
    Nov 22 '18 at 10:35











  • No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?

    – Pablo Barría Urenda
    Nov 22 '18 at 16:30











  • Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…

    – Deepthi
    Nov 23 '18 at 9:28
















0















I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:



https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html



I should be able to do it by passing the App secret, like this:



(broken up for formatting, I'm entering it as a full line)



aws cognito-idp admin-initiate-auth 

    --user-pool-id us-east-1_xxxxxxxx 

    --region=us-east-1 

    --client-id xxxxxxxxxxxxxxxxxxxxx

    --auth-flow ADMIN_NO_SRP_AUTH

    --auth-parameters

        USERNAME=TestUser

        PASSWORD='Test_Password'

        SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 

    --profile AwsProfile


I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.



However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx



What could I be doing wrong?






amazon-web-services amazon-cognito aws-cli







share|improve this question























  • What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.

    – Deepthi
    Nov 22 '18 at 10:35











  • No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?

    – Pablo Barría Urenda
    Nov 22 '18 at 16:30











  • Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…

    – Deepthi
    Nov 23 '18 at 9:28














0












0








0








I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:



https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html



I should be able to do it by passing the App secret, like this:



(broken up for formatting, I'm entering it as a full line)



aws cognito-idp admin-initiate-auth 

    --user-pool-id us-east-1_xxxxxxxx 

    --region=us-east-1 

    --client-id xxxxxxxxxxxxxxxxxxxxx

    --auth-flow ADMIN_NO_SRP_AUTH

    --auth-parameters

        USERNAME=TestUser

        PASSWORD='Test_Password'

        SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 

    --profile AwsProfile


I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.



However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx



What could I be doing wrong?






amazon-web-services amazon-cognito aws-cli







share|improve this question














I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:



https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html



I should be able to do it by passing the App secret, like this:



(broken up for formatting, I'm entering it as a full line)



aws cognito-idp admin-initiate-auth 

    --user-pool-id us-east-1_xxxxxxxx 

    --region=us-east-1 

    --client-id xxxxxxxxxxxxxxxxxxxxx

    --auth-flow ADMIN_NO_SRP_AUTH

    --auth-parameters

        USERNAME=TestUser

        PASSWORD='Test_Password'

        SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 

    --profile AwsProfile


I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.



However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx



What could I be doing wrong?






amazon-web-services amazon-cognito aws-cli




amazon-web-services amazon-cognito aws-cli






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 21 '18 at 13:26









Pablo Barría UrendaPablo Barría Urenda

2,17241020




2,17241020













  • What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.

    – Deepthi
    Nov 22 '18 at 10:35











  • No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?

    – Pablo Barría Urenda
    Nov 22 '18 at 16:30











  • Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…

    – Deepthi
    Nov 23 '18 at 9:28



















  • What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.

    – Deepthi
    Nov 22 '18 at 10:35











  • No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?

    – Pablo Barría Urenda
    Nov 22 '18 at 16:30











  • Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…

    – Deepthi
    Nov 23 '18 at 9:28

















What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.

– Deepthi
Nov 22 '18 at 10:35





What is the SECRET_HASH value that you are passing? It should be a MAC of user-id and client-id signed in client secret key with HmacSHA256 and encoded in Base64.

– Deepthi
Nov 22 '18 at 10:35













No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?

– Pablo Barría Urenda
Nov 22 '18 at 16:30





No, I assumed I just needed the "App Secret" provided by Cognito. How can I know if I need this HmacSHA256 hash? Can you point to somewhere in the docs?

– Pablo Barría Urenda
Nov 22 '18 at 16:30













Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…

– Deepthi
Nov 23 '18 at 9:28





Yes: docs.amazonaws.cn/en_us/cognito/latest/developerguide/…

– Deepthi
Nov 23 '18 at 9:28












1 Answer
1






active

oldest

votes


















1














Compute your SECRET_HASH as follows:




Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
)




Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413080%2fadmin-initiate-auth-with-aws-cli-on-a-cognito-app-client-with-a-secret%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    Compute your SECRET_HASH as follows:




    Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
    )




    Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash






    share|improve this answer




























      1














      Compute your SECRET_HASH as follows:




      Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
      )




      Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash






      share|improve this answer


























        1












        1








        1







        Compute your SECRET_HASH as follows:




        Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
        )




        Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash






        share|improve this answer













        Compute your SECRET_HASH as follows:




        Base64 ( HMAC_SHA256 ( "Client Secret Key", "Username" + "Client Id" )
        )




        Ref: https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 23 '18 at 9:29









        DeepthiDeepthi

        15218




        15218
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413080%2fadmin-initiate-auth-with-aws-cli-on-a-cognito-app-client-with-a-secret%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to change which sound is reproduced for terminal bell?

            Image
            3 Recently upgrade to 18.10 from 18.04, and using the terminal is becoming annoying: the new alert sound is a drip ( /usr/share/sounds/gnome/default/alerts/drip.ogg ), and the previous one is still located at ( /usr/share/sounds/ubuntu/stereo/bell.ogg ). My issue is that at the gnome-terminal, when autocompleting or pressing left BOTH sounds are reproduced, at the same time. I want to just have ubuntu/stereo/bell.ogg active, not both . At the moment I have been only able to reduce the volume of the alerts (but still both are played), or turn the alerts down (but I dislike both "solutions"). gnome-terminal 18.10 teminal-bell share | improve this question
            Read more

            Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

            Image
            up vote 5 down vote favorite 2 I would like to make it so that the vertical space below the title of each chapter is the same when using the Bjornstrup package (i.e. so that the descenders do not affect the spacing - as shown by the red arrow in the picture below). I think I'm fairly happy with the spacing around "A chapter", so I'd really like titles without descenders (e.g. "Contents") to have the same vertical spacing as "A chapter" below the title. I would also like to remove the large "0" in the contents title. Any help appreciated, as always. documentclass[11pt,a4paper]{book} % Packages[![enter image description here][1]][1] usepackage[left=3.5cm, right=3.5cm, top=4.3cm, bottom=4.25cm]{geometry} usepackage[utf8]{inputenc} usepackage{libertine} usepackage[libertine]{newtx
            Read more

            Can I use Tabulator js library in my java Spring + Thymeleaf project?

            Image
            0 I want to add Tabulator js to my java project. I added tabulator.min.js, tabulator.min.css to resources folder. After that added to my html page these dependencies as recommending in readme.md. <link rel="stylesheet" th:href="@{/css/tabulator.min.css}"> <script type="text/javascript" th:src="@{/js/tabulator.min.js}"></script> Now my tables view all elements, that I have in the html page, but not correct. In the documentation of Tabulator is example how to create header and table, var table = new Tabulator("#example-table", { columns:[ {title:"Name", field:"name", sorter:"string", width:200, editor:true}, {title:"Age", field:"age", sorter:"
            Read more