gpt4 book ai didi

python - 为 AWS Cognito 使用 python boto3 实现 USER_SRP_AUTH

转载 作者:太空狗 更新时间:2023-10-29 18:30:15 26 4
gpt4 key购买 nike

Amazon 提供 iOS、Android 和 Javascript Cognito SDK,它们提供高级用户身份验证操作。

例如,请参阅此处的用例 4:

https://github.com/aws/amazon-cognito-identity-js

但是,如果您使用的是 python/boto3,您得到的只是一对原语:cognito.initiate_authcognito.respond_to_auth_challenge

我正在尝试将这些原语与 pysrp lib 一起使用,通过 USER_SRP_AUTH 流程进行身份验证,但我所拥有的不起作用。

它总是失败并显示“调用 RespondToAuthChallenge 操作时发生错误 (NotAuthorizedException):不正确的用户名或密码。” (用户名/密码对可以通过 JS SDK 找到。)

我怀疑我在构造质询响应时出错(第 3 步),和/或在需要 base64 时传递 Congito 十六进制字符串,反之亦然。

有人成功了吗?有人看到我做错了什么吗?

我正在尝试复制在 Javascript SDK 中找到的 authenticateUser 调用的行为:

https://github.com/aws/amazon-cognito-identity-js/blob/master/src/CognitoUser.js#L138

但我做错了什么,无法弄清楚是什么。

#!/usr/bin/env python
import base64
import binascii
import boto3
import datetime as dt
import hashlib
import hmac

# http://pythonhosted.org/srp/
# https://github.com/cocagne/pysrp
import srp

bytes_to_hex = lambda x: "".join("{:02x}".format(ord(c)) for c in x)

cognito = boto3.client('cognito-idp', region_name="us-east-1")

username = "foobar@foobar.com"
password = "123456"

user_pool_id = u"us-east-1_XXXXXXXXX"
client_id = u"XXXXXXXXXXXXXXXXXXXXXXXXXX"

# Step 1:
# Use SRP lib to construct a SRP_A value.

srp_user = srp.User(username, password)
_, srp_a_bytes = srp_user.start_authentication()

srp_a_hex = bytes_to_hex(srp_a_bytes)

# Step 2:
# Submit USERNAME & SRP_A to Cognito, get challenge.

response = cognito.initiate_auth(
AuthFlow='USER_SRP_AUTH',
AuthParameters={ 'USERNAME': username, 'SRP_A': srp_a_hex },
ClientId=client_id,
ClientMetadata={ 'UserPoolId': user_pool_id })

# Step 3:
# Use challenge parameters from Cognito to construct
# challenge response.

salt_hex = response['ChallengeParameters']['SALT']
srp_b_hex = response['ChallengeParameters']['SRP_B']
secret_block_b64 = response['ChallengeParameters']['SECRET_BLOCK']

secret_block_bytes = base64.standard_b64decode(secret_block_b64)
secret_block_hex = bytes_to_hex(secret_block_bytes)

salt_bytes = binascii.unhexlify(salt_hex)
srp_b_bytes = binascii.unhexlify(srp_b_hex)

process_challenge_bytes = srp_user.process_challenge(salt_bytes,
srp_b_bytes)

timestamp = unicode(dt.datetime.utcnow().strftime("%a %b %d %H:%m:%S +0000 %Y"))

hmac_obj = hmac.new(process_challenge_bytes, digestmod=hashlib.sha256)
hmac_obj.update(user_pool_id.split('_')[1].encode('utf-8'))
hmac_obj.update(username.encode('utf-8'))
hmac_obj.update(secret_block_bytes)
hmac_obj.update(timestamp.encode('utf-8'))

challenge_responses = {
"TIMESTAMP": timestamp.encode('utf-8'),
"USERNAME": username.encode('utf-8'),
"PASSWORD_CLAIM_SECRET_BLOCK": secret_block_hex,
"PASSWORD_CLAIM_SIGNATURE": hmac_obj.hexdigest()
}

# Step 4:
# Submit challenge response to Cognito.

response = cognito.respond_to_auth_challenge(
ClientId=client_id,
ChallengeName='PASSWORD_VERIFIER',
ChallengeResponses=challenge_responses)

最佳答案

您的实现中有很多错误。例如:

  1. pysrp 默认使用 SHA1 算法。它应该设置为 SHA256。
  2. _ng_const 长度应为 3072 位,应从 amazon-cognito-identity-js
  3. 复制
  4. 没有 hkdf pysrp 中的函数。
  5. 响应应包含secret_block_b64,而不是secret_block_hex
  6. 错误的时间戳格式。 %H:%m:%S 表示“时:月:秒”,+0000 应替换为 UTC

Has anyone gotten this working?

是的。它在 warrant.aws_srp 模块中实现。 https://github.com/capless/warrant/blob/master/warrant/aws_srp.py

from warrant.aws_srp import AWSSRP


USERNAME='xxx'
PASSWORD='yyy'
POOL_ID='us-east-1_zzzzz'
CLIENT_ID = '12xxxxxxxxxxxxxxxxxxxxxxx'

aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID,
client_id=CLIENT_ID)
tokens = aws.authenticate_user()
id_token = tokens['AuthenticationResult']['IdToken']
refresh_token = tokens['AuthenticationResult']['RefreshToken']
access_token = tokens['AuthenticationResult']['AccessToken']
token_type = tokens['AuthenticationResult']['TokenType']

authenticate_user 方法仅支持 PASSWORD_VERIFIER 质询。如果您想应对其他挑战,只需查看 authenticate_userboto3 文档即可。

关于python - 为 AWS Cognito 使用 python boto3 实现 USER_SRP_AUTH,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41526205/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com