AWS Cognito Authentication USER_PASSWORD_AUTH flow not enabled for this client
Solution 1
Figured it. I have goto user pool - > app clients - >show details -> Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH).
That fixed it.
Solution 2
Figured it. I have goto user pool - > app clients - >show details -> Enable username password auth for admin APIs for authentication (ALLOW_ADMIN_USER_PASSWORD_AUTH).
Solution 3
For me I found that my credentials needed a hmac here is the class in case it is useful to someone.
import boto3
import boto3.session
import hmac, base64, hashlib
from botocore.client import ClientMeta
class AwsAuth(object):
'''
classdocs
'''
def gettoken(self):
if self.token:
return self.token
else:
return False
def connect(self):
if not self.username:
self.username = raw_input("Username: ")
if not self.password:
self.password = raw_input("Password: ")
digest = self.gethmacdigest(self.username)
response = self.client.initiate_auth(
ClientId=self.clientid,
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': self.username,
'PASSWORD': self.password,
'SECRET_HASH': digest
},
ClientMetadata={
'UserPoolId': self.userpoolid
}
)
self.token = response
return response
def gethmacdigest(self, username):
message = username + self.clientid
dig = hmac.new(self.clientsecret, msg=message.encode('UTF-8'), digestmod=hashlib.sha256).digest()
return base64.b64encode(dig).decode()
def __init__(self, path, url, fileout, filein, userpoolid, clientid, clientsecret, region, username = None, password = None):
'''
Constructor
'''
#boto3.set_stream_logger('botocore', level="DEBUG")
self.path = path
self.url = url
self.fileout = fileout
self.filein = filein
self.userpoolid = userpoolid
self.clientid = clientid
self.clientsecret = clientsecret
self.region = region
self.token = ""
boto3.setup_default_session(region_name=region)
self.client = boto3.client('cognito-idp')
if username is not None:
self.username = username
else:
self.username = None
if password is not None:
self.password = password
else:
self.password = None
Admin
Updated on July 09, 2022Comments
-
Admin almost 2 years
I have an mobile app with user pool (username & password). The app works fine with aws-amplify sdk. But, wanted to move the code out to Lambdas. So, I have written the following Lambda using Boto3.
Here is Lambda:
import boto3 def lambda_handler(event, context): client = boto3.client('cognito-idp') response = client.initiate_auth( ClientId='xxxxxxxxxxxxxx', AuthFlow='USER_PASSWORD_AUTH', AuthParameters={ 'USERNAME': 'xxxxxx', 'PASSWORD': 'xxxxxx' } ) return response
Tried admin_initiate_auth too.
import boto3 def lambda_handler(event, context): client = boto3.client('cognito-idp') response = client.initiate_auth( UserPoolId='xxxxxxxxx', ClientId='xxxxxxxxxxxxxx', AuthFlow='USER_PASSWORD_AUTH', AuthParameters={ 'USERNAME': 'xxxxxx', 'PASSWORD': 'xxxxxx' } ) return response
Here is the error the I get.
An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this client: InvalidParameterException Traceback (most recent call last):
File "/var/task/lambda_function.py", line 12, in lambda_handler 'PASSWORD': 'xxxxx' File "/var/runtime/botocore/client.py", line 317, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 615, in _make_api_call raise error_class(parsed_response, operation_name) InvalidParameterException: An error occurred (InvalidParameterException) when calling the InitiateAuth operation: USER_PASSWORD_AUTH flow not enabled for this clientAny thoughts?
-
KMC about 6 yearsI was having the same issue and your question appeared on the first page of search. It resolves my prob. Thanks!
-
Efren over 5 yearsI'm getting "Initiate Auth method not supported.", tried with boto3==1.7.30 and awscli==1.16.3, which versions worked for you?
-
Kushan Gunasekera almost 5 yearsBut
AuthFlow
is aREQUIRED
parameter. -
Admin almost 5 yearsYeah it is a required parameter. ExplicitAuthFlows is actually calling AuthFlow only.
-
Townsheriff over 4 yearsfor AWS CDK you need to provide
enabledAuthFlows: [AuthFlow.USER_PASSWORD]
in appClient Construct. -
nachbar almost 4 yearsPerhaps this has moved. It is now under Your User Pools -> (the user pool) -> General Settings -> App Clients -> Show Details -> Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH) It is NOT under App Integration -> App Client Settings
-
MarkHu over 3 yearsFirst choice in the "Auth Flows Configuration" section: imgur.com/a/9G4WkN1
-
isick almost 3 yearsAny idea how to set this flag programatically in Amplify?
-
pedro.caicedo.dev over 2 yearsNot, have you checked the Amplify Documentation?
-
Shubham Jain over 2 yearsif someone is interested in more secure way, check this stackoverflow.com/a/43046495/9163608