Our login flow: client->server->cognito

We are using InitiateAuth() API with USER_PASSWORD_AUTH AuthFlow. We are go to enable Advanced security in Cognito, for which we are going to use AdminInitiateAuth() API with Ip address and finger print data.

Can you suggest me which AuthFlow is good for my scenario (We are passing USERNAME, PASSWORD and SECRET_HASH as a AuthParameters).

Can you also tell me the main difference b/w ADMIN_NO_SRP_AUTH and ADMIN_USER_PASSWORD_AUTH AuthFlow?

Which auth flow is good for my scenario?

The AdminInitiateAuth API with ADMIN_USER_PASSWORD_AUTH is good since you’re doing server-to-server auth.

Difference between ADMIN_USER_PASSWORD_AUTH & ADMIN_NO_SRP_AUTH auth flows?

ADMIN_USER_PASSWORD_AUTH was formerly known as ADMIN_NO_SRP_AUTH.

If you have a server-side app:

1. It calls the AdminInitiateAuth API. This requires AWS admin credentials & returns the authentication parameters.
2. It then calls the AdminRespondToAuthChallenge API, which also requires AWS admin credentials.

The AdminInitiateAuth and AdminRespondToAuthChallenge operations can’t accept username & password user credentials for admin sign-in, unless you explicitly enable them to do so by doing one of the following:

• Pass ADMIN_USER_PASSWORD_AUTH (formerly known as ADMIN_NO_SRP_AUTH) for the ExplicitAuthFlow parameter in your server-side app’s call to CreateUserPoolClient or UpdateUserPoolClient.
• Choose Enable sign-in API for server-based authentication (ADMIN_USER_PASSWORD_AUTH) in the App clients tab in Create a user pool.

— Server-Side Auth Flow — Cognito Documentation

Example:

Default

AdminInitiateAuth Request { "AuthFlow": "ADMIN_USER_PASSWORD_AUTH", "AuthParameters": { "USERNAME": "<username>", "PASSWORD": "<password>" }, "ClientId": "<clientId>", "UserPoolId": "<userPoolId>" }

1 2 3 4 5 6 7 8 9 10

AdminInitiateAuth Request { "AuthFlow": "ADMIN_USER_PASSWORD_AUTH", "AuthParameters": { "USERNAME": "", "PASSWORD": "" }, "ClientId": "", "UserPoolId": "" }

— Admin Auth Flow — Cognito Documentation