bug: SRP_A Authentication Flow Produces Invalid Access Token Despite Correct Configuration

#12756
localstack
localstack
localstack

Issue Details

about 2 months ago
No assignee
type: bugaws:cognitostatus: backlog
View on GitHub
yuki0418yuki0418
opened about 2 months ago
Author

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When using SRP_A (USER_SRP_AUTH) flow with Cognito in LocalStack, authentication succeeds but subsequent API calls with the returned access token fail with NotAuthorizedException: Invalid Access Token. This occurs even when:

  • ALLOW_USER_SRP_AUTH is explicitly enabled in app client configuration
  • Tokens include required scopes (aws.cognito.signin.user.admin)
  • Client secret is generated
  • Token structure and signature are valid

Expected Behavior

Access tokens generated via SRP_A flow should be accepted by LocalStack Cognito endpoints (e.g., GetUser, ListUsers) when configuration matches AWS Cognito standards.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

Setup with Cognito User Pool with aws-cdk-lib

I use aws-cdk-lib for backend. User pool client config like

new cognito.UserPoolClient(this, 'client', {
      userPool: this.userPool,
      accessTokenValidity: cdk.Duration.hours(1),
      authFlows: { userSrp: true },
      idTokenValidity: cdk.Duration.hours(1),
      disableOAuth: false,
      supportedIdentityProviders: [
        cognito.UserPoolClientIdentityProvider.COGNITO,
      ],
      ...other options
    });
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

My docker compose file

version: '3.8'

services:
  localstack:
    container_name: '${LOCALSTACK_DOCKER_NAME:-localstack-main}'
    image: localstack/localstack-pro
    ports:
      - '127.0.0.1:4566:4566' # LocalStack Gateway
      - '127.0.0.1:4510-4559:4510-4559' # external services port range
      - '127.0.0.1:443:443' # LocalStack HTTPS Gateway (Pro)
    environment:
      # LocalStack configuration: https://docs.localstack.cloud/references/configuration/
      - DEBUG=${DEBUG:-0}
      - LOCALSTACK_AUTH_TOKEN=${LOCALSTACK_AUTH_TOKEN- }
      - PERSISTENCE=1
      - SERVICES=cloudformation,ssm,iam,sns,logs,lambda,dynamodb,sqs,ecr,apigateway,route53,cognito-idp,events
      - LAMBDA_EXECUTOR=docker-reuse
      - SMTP_EMAIL=test@email.com
    volumes:
      - '${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack'
      - '/var/run/docker.sock:/var/run/docker.sock'
      - './localstack/ready:/etc/localstack/init/ready.d'

docker compose up to start LocalStack Pro

cdklocal bootstrap and cdklocal deploy --all --require-approval never to deploy CDK to LocalStack.

Backend CDK AuthCommands

My InitiateAuthCommand like

const initiateCommand = new InitiateAuthCommand({
    ClientId: userPoolClientId,
    AuthFlow: 'USER_SRP_AUTH',
    AuthParameters: {
      USERNAME: email,
      SRP_A: srp_a,
    },
  });

And RespondToAuthChallengeCommand like

const respondCommand = new RespondToAuthChallengeCommand({
    ClientId: userPoolClientId,
    ChallengeName: 'PASSWORD_VERIFIER',
    ChallengeResponses: {
      PASSWORD_CLAIM_SIGNATURE: signature,
      PASSWORD_CLAIM_SECRET_BLOCK: secretBlock,
      TIMESTAMP: timestamp,
      USERNAME: signInUserId,
    },
  });
Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

I use cognito-srp to generate SRP and signature.

After get Access Token from backend, use it awslocal cognito-idp get-user --access-token $access_toke

Environment

- OS:macOS Sonoma v14.6.1
- LocalStack: 
  LocalStack version: latest, 4.5
  LocalStack Docker image sha: sha256:14f6c3dbf99a895299f79247bad646b754ffd14e8d7027532bef08a66d3f932e

Anything else?

Seems USER_AUTH flow is just supported recently. So maybe USER_SRP_AUTH not yet fully supported yet? https://blog.localstack.cloud/localstack-release-v-4-4-0/#miscellaneous