Aws-sdk-net: Cognito Userpool Signin

Can you provide more details on your scenario and what functionality is missing? The Cognito Identity API available in the SDK can be used by any type of .NET application.

@gokarnm I am talking about Cognito User pools authentication

Use case 4. Authenticating a user and establishing a user session with the Amazon Cognito Identity service.
https://github.com/aws/amazon-cognito-identity-js

I can't find this in .net so we can't authenticate a user from a front end app written in .net

The supplied Cognito support is incomplete. The required Secure Remote Password support is implemented in the iOS, Android and JS SDKs, but is missing from the .NET and Java SDKs. I have spent the last two days porting the JS implementation of SRP to .NET and now comparing to the iOS implementation, but something in the SRP calculations is slightly different and authentication fails. It doesn't help that there is no documentation I could find on how Cognito implements SRP (what are the pre-shared constants, how and what values does it combine when calculating hashes, etc), the only resort was to dive through mostly uncommented SDK source code.

@KonajuGames Do you need help with that port? I'm about to start porting the Android implementation to C#.

I had spent several days on it, trying to verify my port from the Android, JS and iOS SDKs. Still couldn't get it to successfully authenticate, so now I'm trying to use custom authentication hooks with some Lambda functions and the SRP6 client/server implementation from the BouncyCastle crypto library. Still haven't quite got it working however. Crypto is hard.

I'm happy to send you what I've got so far and to test your port. It's a bit of a mix from the JS and iOS SDK implementations.

You've probably looked at: AuthenticationHelper ? That's what I started porting. Yeah, encryption isn't the easiest to figure out. I'd be happy to look at what you have.

I had looked at that source, among many others. Here's the code as it currently is.
https://gist.github.com/KonajuGames/0253adf035d83e3b58a872fb00e4f398
If it's useful to you, that's great. If not, that's fine. As long as the auth works in the end.

Also, am looking at: https://github.com/fduman/srp.net

I think I had seen that one, but hadn't looked too much into it because it uses System.Security.Cryptography which does not exist in .NET Core. I had been using BouncyCastle's C# which has no such dependencies.

Its not? I've been testing that code in a dotnet core console app.

Maybe my brain is just fried from staring at crypto and SRP6 for too long, trying to get authentication working.

This feature is available in the iOS, Android and JS SDK but not in the .NET SDK, I'll add this as a feature request but I don't have an ETA for when this will be available.

@gokarnm Is it possible to get it working with what the .NET SDK currently provides by following what the Android SDK does?

Hi @dbeattie71, yes we'll look into what it takes to provide an implementation similar to the other SDKs. Though like I said before, I cannot provide an ETA at this point.

we'll look into what it takes to provide an implementation similar to the other SDKs.

As long as the end result is the same (we can login using Cognito), the implementation can be completely dissimilar. And that may be best too, because the .NET implementation should use C# constructs such as async/await.

Though like I said before, I cannot provide an ETA at this point.

Which is a shame because .NET users are dead in the water at the moment if they want to use Cognito authentication. I spent the better part of two weeks trying to get a port of the Android/JS/iOS implementations, but it fails to authenticate each time.

We are calling the javascript function using EO.WebBrowser for .NET
https://www.essentialobjects.com/Products/WebBrowser/Default.aspx

This is not ideal but it works for now.

I am hoping that aws team will implement this sooner than later.

@gokarnm Is there some server side mechanism that won't allow this to work if someone ports it from the Android SDK? I realize it isn't implemented in the SDK yet but is there any reason a 3rd party port, like the one @KonajuGames attempted won't work?

@KonajuGames I suppose binding libs could be created using the Android and iOS libs. A binding lib could probably be created for just the pieces that handle SRP.

I realize it isn't implemented in the SDK yet but is there any reason a 3rd party port, like the one @KonajuGames attempted won't work?

@dbeattie71, a third party port with the correct implementation would work.

@KonajuGames I spent some time on this and ended up in the same boat as you. I can't figure out what is different as everything looks correct. I'll probably try and make binding libs, that's almost as fun as messing with crypto.

@KonajuGames I got this working, https://gist.github.com/dbeattie71/44ea3a13145f185d303e620c299ab1c5

@dbeattie71 Brilliant. Thank you. I'll give it a try on Monday.

I'll also be curious to see what I got wrong.

@dbeattie71 Thanks a lot this helped me in so many ways 👍

PS:

• AutoConstructedDictionary<> did not have a default constructor on my side so I used the normal Dictionary.
• You still got your PW hard coded at the RespondToAuthChallengeRequest.

I've still got something wrong. I had to change Hkdf.cs to use BouncyCastle as ours lives in a PCL and does not have System.Security.Cryptography. I still get a "Username or password is incorrect" error.

@KonajuGames How are you calling Hkdf.cs from Bouncy? I think I tried that at one point.

I had to change Hkdf.cs to use BouncyCastle HMAC functions since PCLs don't
have Cryptography.

I ported the code from the Android SDK and it's working, with example: http://blog.mmlac.com/aws-cognito-srp-login-c-sharp-dot-net/

Hope it can help someone :)

Thanks for the help @dbeattie71 and @mmlac. I now have the authentication working, and as a bonus I removed the dependency on System.Security.Cryptography, meaning it can now be used in a Portable Class Library. The AWSSDK provides SHA256 and HMAC hash functions in Amazon.Util.CryptoFactory that can be used in place of the Cryptography versions. I'll post the changes once I clean it up.

@KonajuGames just ran into the same problem as this thread, and was wondering if you had any lucky cleaning up your code and getting it working?

@cmarfia My code (see three replies above this one) is working. As @KonajuGames mentioned, it might include external libraries that cover what AWS might include already, but that's easy to change and clean up.

Until @KonajuGames posts his edit, you should be able to get up and running with my solution. If you have any problems with it, just leave a comment on the post and I'll see if I can help you further.

@mmlac,

Thanks for the code!

I got it working using the utilities in the SDK like @KonajuGames did as well.

I won't be able to post my code as I no longer work for the studio I was
doing that for, and don't have a copy of the code. I'm glad more people
have got it working. It's about time Amazon just borrowed what we worked
out and updated their SDK to benefit everyone, including themselves.

@KonajuGames,

I will try an post my gist of my working code by end of week, so if anyone runs into this again they have a good starting point.

Do the code ports work with the latest SDK version?

@ldubois1 Did you try it and ran into a specific issue?

Has anyone attempted to get this to work with a Xamarin Forms .NetStandard app?

@mmlac,

Sorry for the delay on posting my code I was taken off the project for a couple weeks and just got back to it. I will try an post my code by end of week once I get caught back up to speed.

@bbkillen I have not worked with .NetStandard but when I get my code posted I hope that can help be a start point for you.

As a side note, has anyone else successfully verified the JWT token after a successful login? I am stuck on that currently and can't get my token to validate correct.

@cmarfia I am using the C++ SDK and calling GetUser with the JWT and it succeeds. Haven't tried it with the C# SDK. Are you trying to verify the JWT token yourself with another library?

@mmlac does the SDK provide a built in way to validate the token?

I have not found one in the SDK and that is where I am a little lost on how to validate it correctly. I see this documentation on how to validate the token: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity-user-pools-using-id-and-access-tokens-in-web-api

But I guess I don't understand how to do step 6.

(Note: I am new to JWT's so this is most likely my own ignorance on the subject.)

@cmarfia I just implemented authentication using Cognito in .net. I used the System.IdentityModel.Tokens.Jwt library to read the tokens. Hope this might help; I was quite bewildered for a while too.
```
// using System.IdentityModel.Tokens.Jwt;
public JwtSecurityToken DecodeToken(string token)
{
var jwtHandler = new JwtSecurityTokenHandler();
if (!jwtHandler.CanReadToken(token))
{
return null;
}

return jwtHandler.ReadJwtToken(token);

}
````

I'm using cognito for AWS API Gateway so I don't verify the token myself:
http://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.htm
And we did manage to verify the token using the js code on this page:
https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/
(under Understanding the code)

Has anybody managed to authenticate with the device been remembered?
I managed to have to device remembered on Cognito while trying to copy the JS code but when trying to authenticate using the device key I get "user or password invalid" error.
link to source code:
https://gist.github.com/BBNicolas/5ab3f1f8c604ebe2e4ecf14c35487495

Seems to me getting this in the SDK should be a very high priority, even higher than new API support. You can't use all those wonderful APIs if you can't log in!

@mmlac You blog post is broken. http://blog.mmlac.com/aws-cognito-srp-login-c-sharp-dot-net/ gives a DB error. Any chance you can fix it?

@rampyodm fixed, thanks for pointing it out!

Any update on when this is going to be in the SDK?

I ended up creating Xamarin bindings to the iOS and Android SDKs. C# seems to be the lowest priority when it comes to AWS. The SDK is misleading because it appears at first glance to have everything you need. I wasted a lot of time going down that rabbit hole only to find out the SDK is missing the most important part - being able to login.

Have you had a look at
https://aws.amazon.com/blogs/mobile/use-csharp-to-register-and-authenticate-with-amazon-cognito-user-pools/

They could just implement SRP client-side in the C# SDK instead of trying
to gloss over it by writing a series of blog posts showing how to make it
more complex by adding another layer using ASP.NET and the AdminAuth
function in another server app.

There is another one for WPF
https://aws.amazon.com/blogs/mobile/sign-up-and-confirm-with-user-pools-using-csharp/

However, I can't seem to get it working. Something wrong with the App.config file

I think you also need to tick Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH) on the console. I keep getting error Unable to verify secret hash for client 1fsd254sdsd22

@hashitha Yes, the signup API is fully implemented in C#. When I first started working with the SDK I started with this API, which is what lead me to incorrectly believe that the SDK was wholly implemented.

I managed to get the Sign in working by following
https://aws.amazon.com/blogs/mobile/sign-up-and-confirm-with-user-pools-using-csharp/

All I had to do was create a new App client, the existing one didn't work for some reason.

@rampyodm Yea all the functionality was implemented except the signing

Any official update on this issue yet? Without the ability to even authenticate a user from Unity, I have to basically rely on unauthenticated user role in order to get access to other AWS APIs like Lambda from Unity which is definitely not the best usage.

It's all working for me now. I think the trick was not to create a UserPool with Client Secret enabled

Any official update on this issue? SRP is really a requirement for some of us.

The last responses from @gokarnm above are about as official as you'll get. The request has been added, but it could be anytime between tomorrow and the next century.

Yesterday we released the CognitoAuthentication library as an extension to the SDK targeting .NET45 and NetStandard1.3 to address this feature request. You can find more information about how to get and use it here: https://aws.amazon.com/blogs/developer/cognitoauthentication-extension-library-developer-preview/

@sammous1 , when will it work to .NETPortable?

Output error:

Could not install package 'AWSSDK.Extensions.CognitoAuthentication 0.9.0'. You are trying to install this package into a project that targets '.NETPortable,Version=v4.5,Profile=Profile111', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.

Thanks!

We don't have any plans to support PCL yet. However we will take this into consideration when we are ready to GA this. I am guessing you are looking to use this library in a Unity app?

Hi @sstevenkang, I want to use in a Portable Xamarin project.

I was able to get it working in a Xamarin Forms app, but I had to change the main PCL to .NET Standard. That's not exactly an easy task. I actually found someone else who did it and shoehorned this code in to test. It's not ideal but it might be better than what I am currently doing - bindings for the iOS and Android SDK's.

I have followed this example to the letter
http://blog.mmlac.com/aws-cognito-srp-login-c-sharp-dot-net/

except the HKDF function does not have a DeriveKey function, I found source on github

I get the same salt and K hash values as I do in JS

I fail to authenticate , this is in PCL app
any hints

@sammous1
Hello, I am trying to install 'AWSSDK.Extensions.CognitoAuthentication 0.9.1, but get this error:
Could not install package 'AWSSDK.Extensions.CognitoAuthentication 0.9.1'. You are trying to install this package into a project that targets 'WindowsPhoneApp,Version=v8.1', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.
Does it mean this Extension doesn't support Windows Phone yet? Or there is anything I can do to install it for my WindowPhone project?

Anyone who still have invalid username and password for manual Login Cognito from AuthenticateHelper. This parameter ( { "CHALLENGE_NAME", "SRP_A" },) is the thing you are missing from some tutorial. I spent 2 weeks for this! And get successful Login.
//Get the SRP variables A and a
var TupleAa = AuthenticationHelper.CreateAaTuple();
var SRP_A = TupleAa.Item1.ToString(16);
var authResponse = await provider.InitiateAuthAsync(new InitiateAuthRequest
{
ClientId = AWS_CLIENT_ID,
AuthFlow = AuthFlowType.USER_SRP_AUTH,
AuthParameters = new Dictionary() {
{ "USERNAME", userName },
{ "SRP_A", SRP_A },
{ "SECRET_HASH", null },
{ "DEVICE_KEY", null },
{ "CHALLENGE_NAME", "SRP_A" },
}
});

@quangtrung89 Yes, currently our library only supports .NET Standard 1.6 and .NET Framework 4.5+.

I'm going to close this issue as it has become to large and unwieldy for us to track any specific work now that we have released a CognitoAuthentication library.

If there are specific issues with the CognitoAuthentication library you would like to look into please open a separate issue.