1

In the Cognito CloudFormation resourceAWS::Cognito::UserPoolClient documentation for ExplicitAuthFlows it says:

  • ALLOW_USER_AUTH: Enable selection-based sign-in with USER_AUTH. This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ExplicitAuthFlows permitting them. For example users can complete an SRP challenge through USER_AUTH without the flow USER_SRP_AUTH being active for the app client. This flow doesn't include CUSTOM_AUTH.

I interpret this to mean that if I list ALLOW_USER_AUTH, there is no need to list USER_SRP_AUTH, as that is included in ALLOW_USER_AUTH.

Yet the latest Cognito user wizard by default sets up the following explicit auth flows: [ALLOW_USER_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH]. Why does it include ALLOW_USER_SRP_AUTH, if ALLOW_USER_AUTH includes ALLOW_USER_SRP_AUTH?

Likewise in the documentation for Authentication with Amazon Cognito user pools, it shows the following example:

"ExplicitAuthFlows": [ 
   "ALLOW_USER_AUTH",
   "ALLOW_USER_SRP_AUTH
]

Ignoring the typo (the missing double quote for the second identifier), why are both explicit auth flows listed? Isn't ALLOW_USER_SRP_AUTH redundant, being included in ALLOW_USER_AUTH? Or am I misunderstanding the documentation for ExplicitAuthFlows, and they do need to be listed separately?

In summary: Is ALLOW_USER_SRP_AUTH redundant if ALLOW_USER_AUTH is included, or is it not redundant?

Improve this question
0

1 Answer 1

Reset to default
1
+100

From the documentation, ALLOW_USER_SRP_AUTH is used to enable client-based authentication with username and SRP, while ALLOW_USER_AUTH is used to enable choice-based authentication, which can include secure remote password (SRP) authentication as an available authentication choice.

Client-based authentication and choice-based authentication are separated authentication flow types with different parameters required for InitiateAuth or AdminInitiateAuth API call. Different authentication methods such as username-password, secure remote password (SRP) can be configured to available for both flows. The below example configuration

"ExplicitAuthFlows": [ 
   "ALLOW_USER_AUTH",
   "ALLOW_USER_SRP_AUTH
]

means that secure remote password (SRP) authentication is available for both client-based and choice-based authentication flows, hence ALLOW_USER_AUTH doesn't include ALLOW_USER_SRP_AUTH and vice versa

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Oh, so this is saying that ALLOW_USER_SRP_AUTH allows the client to explicitly initiate SRP signin, while ALLOW_USER_AUTH allows the user to choose which signin approach (which could include SRP). So the documentation was saying that ALLOW_USER_AUTH covers SRP as one of the options—which is not the same as covering the ALLOW_USER_SRP_AUTH setting. Thanks for the explanation. I think I missed assigning the bounty, so out of fairness I'll assign another bounty to assign it to this answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.