cognitoidentityprovider initiate_auth with "USER_PASSWORD_AUTH" Errors when searching for additional credentials

[cgostic]

Hello!

Note that I am struggling to create a full reprex because I can't share the clientId/credential information for authentication.

I have a user pool in AWS cognito that has USER_PASSWORD_AUTH enabled. I know this is configured correctly because I am able to authenticate through Python using only USERNAME and PASSWORD AuthParameters. Here is my Python code that runs fine:

import boto3

cognito_client = boto3.client('cognito-idp', region_name='us-west-2')
cognito_client.initiate_auth(
        ClientId=<auth_client_id>,
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': <username>,
            'PASSWORD': <password>
        }
)

I need to write up an authentication flow in R as well but am receiving the following errors when running this code:

library(paws)
svc <- cognitoidentityprovider(
  region = "us-west-2"
)

svc$initiate_auth(
  ClientId = "<auth_client_id>",
  AuthFlow = "USER_PASSWORD_AUTH",
  AuthParameters = list(
    USERNAME = "<username>",
    PASSWORD = "<password>"
  )
)

with options("paws.log_level" = 3L) enabled:

INFO [2024-08-01 11:18:17.545]: Unable to locate credentials file
INFO [2024-08-01 11:18:17.546]: Unable to locate config file
INFO [2024-08-01 11:18:17.546]: Unable to obtain access_key_id, secret_access_key or session_token
INFO [2024-08-01 11:18:17.551]: Unable to obtain iam role
Error: No compatible credentials provided.

It seems like the authflow is being ignored if these files/credentials are still being searched for. Am I missing something basic?

[DyfanJones]

Have you tried with anonymous credentials?

[cgostic]

Hi @DyfanJones, thanks for the reply!

I attempted to initialize the client with anonymous credentials according to documentation which suggests a logical value:

library(paws)
svc <- cognitoidentityprovider(
  credentials = list(anonymous=TRUE),
  region = "us-west-2"
)

svc$initiate_auth(
  ClientId = "<auth_client_id>",
  AuthFlow = "USER_PASSWORD_AUTH",
  AuthParameters = list(
    USERNAME = "<username>",
    PASSWORD = "<password>"
  )
)

This results in a "400 Bad Request" error, with the Amazon error type "Unknown Operation Exception".

INFO [2024-08-01 13:45:12.433]: <- HTTP/1.1 400 Bad Request
INFO [2024-08-01 13:45:12.433]: <- Date: Thu, 01 Aug 2024 20:45:12 GMT
INFO [2024-08-01 13:45:12.433]: <- Content-Type: application/x-amz-json-1.1
INFO [2024-08-01 13:45:12.433]: <- Content-Length: 38
INFO [2024-08-01 13:45:12.433]: <- Connection: keep-alive
INFO [2024-08-01 13:45:12.433]: <- x-amzn-RequestId: c8e39069-ad79-4755-920e-5f1e8f3afd0c
INFO [2024-08-01 13:45:12.433]: <- x-amzn-ErrorType: UnknownOperationException:
INFO [2024-08-01 13:45:12.433]: <- 
Error: UnknownOperationException (HTTP 400).

[DyfanJones]

Sorry about that, not sure what is going on. I will have to set up cognito to understand what is causing the issue.

[DyfanJones]

I have found the bug. We accidentally removed all X-Amz-* headers when using anonymous. The dev branch should fix this.

remotes::install_github("dyfanjones/paws/paws.common", ref = "anonymous_cred")

library(paws)

svc <- cognitoidentityprovider(config(credentials(anonymous = T), region = "us-east-1"))

resp <- svc$initiate_auth(
  ClientId = "YOUR CLIENT ID",
  AuthFlow = "USER_PASSWORD_AUTH",
  AuthParameters = list(
    USERNAME = "YOUR USER NAME",
    PASSWORD = "YOUR PASSWORD"
  )
)

For extra context:
There is a slightly difference in how paws works compared to boto3 when getting credentials. Boto3 doesn't check if it has credentials where paws does (hence: Error: No compatible credentials provided.). I don't think we will remove this check as it is fairly useful and other aws sdk's do something similar.

Let me know if this fix works for you.

[cgostic]

Yes, this does the trick! Thank you for the solution and the clarification. Really appreciate your time.