Added MFA authenitcation support with prompt for confirmation code by talyaniv · Pull Request #13 · AnomalyInnovations/aws-api-gateway-cli-test

talyaniv · 2019-03-14T08:19:11Z

Also see updated package.json with latest aws-sdk version

jayair · 2019-03-14T17:56:36Z

Thanks for the PR!

Can you give me some instructions on how to test it?

talyaniv · 2019-03-14T19:01:28Z

Sure! you need to create a user pool and require MFA, see attached screenshot. SNS should be enabled as well. Once the pool is set-up, every successful user/password login attempt will emit an SMS confirmation code to the user. The CLI will halt and prompt for the code. If a correct code is entered it will complete the process. I would test all positive and negative options, e.g.:

Standard login without MFA (regression test for current version)
MFA with correct code
MFA with incorrect code

jayair · 2019-03-22T17:05:49Z

Awesome! I'll give it a try this weekend.

jayair · 2019-04-08T02:00:26Z

@talyaniv I'm trying to test this. Can you tell me how to create a user that needs MFA?

Currently we use this to create a user:

aws cognito-idp sign-up \
  --region YOUR_COGNITO_REGION \
  --client-id YOUR_COGNITO_APP_CLIENT_ID \
  --username admin@example.com \
  --password Passw0rd!

talyaniv · 2019-04-11T05:58:28Z

@jayair This is the complete sign-in flow for MFA enforced user:

Sign up:

aws cognito-idp sign-up \ 
   --region YOUR_COGNITO_REGION \ 
   --client-id YOUR_COGNITO_APP_CLIENT_ID \ 
   --username user@example.com \ 
   --password PAssWOrd! \ 
   --user-attributes "[{\"Name\": \"phone_number\", \"Value\": \"+2123454567\"}]"

The expected response:

{
    "UserConfirmed": false,
    "UserSub": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "CodeDeliveryDetails": {
        "AttributeName": "phone_number",
        "Destination": "+********3456",
        "DeliveryMedium": "SMS"
    }
}

After the confirmation code 123456 received at my device I call:

aws cognito-idp confirm-sign-up \
   --region YOUR_COGNITO_REGION \
   --client-id YOUR_COGNITO_APP_CLIENT_ID \
   --username user@example.com \
   --confirmation-code 123456

No response payload should be expected on this one.

Now, when the user is confirmed, this is how the sign-in flow looks like

aws cognito-idp initiate-auth \
  --auth-flow USER_PASSWORD_AUTH \
  --client-id YOUR_COGNITO_APP_CLIENT_ID \
  --auth-parameters USERNAME="user@example.com",PASSWORD="PAssWOrd!"

The expected response:

{
    "ChallengeName": "SMS_MFA",
    "ChallengeParameters": {
        "CODE_DELIVERY_DELIVERY_MEDIUM": "SMS",
        "CODE_DELIVERY_DESTINATION": "+********4567",
        "USER_ID_FOR_SRP": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
    "Session": "LONG_SESSION_STRING"
}

You should be receiving the auth code at your device and complete the auth sign-in flow by confirming it:

aws cognito-idp respond-to-auth-challenge \
   --client-id YOUR_COGNITO_APP_CLIENT_ID \
   --challenge-name SMS_MFA \
   --challenge-responses USERNAME=user@example.com,SMS_MFA_CODE=345678 \
   --session "LONG_SESSION_STRING"

And now the final response looks like a standard sign-in response:

{
    "AuthenticationResult": {
        "ExpiresIn": 3600,
        "IdToken": "LONG_ID_TOKEN",
        "RefreshToken": "LONG_REFRESH_TOKEN",
        "TokenType": "Bearer",
        "AccessToken": "LONG_ACCESS_TOKEN",
        "ChallengeParameters": {}
}

talyaniv · 2019-04-11T06:06:19Z

Also see my previous reply with screenshot. Make sure you mark the MFA related checkboxes and options.

ozbillwang · 2019-06-02T08:24:39Z

one suggestion.

Could we have a new option, such as --mfa=xxxxxx as well?

jayair · 2019-06-17T17:33:09Z

@ozbillwang What would this option do?

ozbillwang · 2019-06-18T00:39:24Z

@jayair

Since this is a command line, I can run it with shell scripting with new generated MFA token every time.

Added MFA authenitcation support with prompt for confirmation code

764d109

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added MFA authenitcation support with prompt for confirmation code#13

Added MFA authenitcation support with prompt for confirmation code#13
talyaniv wants to merge 1 commit into
AnomalyInnovations:masterfrom
talyaniv:master

talyaniv commented Mar 14, 2019

Uh oh!

jayair commented Mar 14, 2019

Uh oh!

talyaniv commented Mar 14, 2019 •

edited

Loading

Uh oh!

jayair commented Mar 22, 2019

Uh oh!

jayair commented Apr 8, 2019

Uh oh!

talyaniv commented Apr 11, 2019 •

edited

Loading

Uh oh!

talyaniv commented Apr 11, 2019

Uh oh!

ozbillwang commented Jun 2, 2019 •

edited

Loading

Uh oh!

jayair commented Jun 17, 2019

Uh oh!

ozbillwang commented Jun 18, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

talyaniv commented Mar 14, 2019

Uh oh!

jayair commented Mar 14, 2019

Uh oh!

talyaniv commented Mar 14, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jayair commented Mar 22, 2019

Uh oh!

jayair commented Apr 8, 2019

Uh oh!

talyaniv commented Apr 11, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

talyaniv commented Apr 11, 2019

Uh oh!

ozbillwang commented Jun 2, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jayair commented Jun 17, 2019

Uh oh!

ozbillwang commented Jun 18, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

talyaniv commented Mar 14, 2019 •

edited

Loading

talyaniv commented Apr 11, 2019 •

edited

Loading

ozbillwang commented Jun 2, 2019 •

edited

Loading