amazon-web-servicesauthenticationaws-cloudformationamazon-cognito

Is Cognito explicit auth flow `ALLOW_USER_SRP_AUTH` included in `ALLOW_USER_AUTH`?

In the Cognito CloudFormation resourceAWS::Cognito::UserPoolClient documentation for ExplicitAuthFlows it says:

  • ALLOW_USER_AUTH: Enable selection-based sign-in with USER_AUTH. This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ExplicitAuthFlows permitting them. For example users can complete an SRP challenge through USER_AUTH without the flow USER_SRP_AUTH being active for the app client. This flow doesn't include CUSTOM_AUTH.

I interpret this to mean that if I list ALLOW_USER_AUTH, there is no need to list USER_SRP_AUTH, as that is included in ALLOW_USER_AUTH.

Yet the latest Cognito user wizard by default sets up the following explicit auth flows: [ALLOW_USER_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH]. Why does it include ALLOW_USER_SRP_AUTH, if ALLOW_USER_AUTH includes ALLOW_USER_SRP_AUTH?

Likewise in the documentation for Authentication with Amazon Cognito user pools, it shows the following example:

"ExplicitAuthFlows": [ 
   "ALLOW_USER_AUTH",
   "ALLOW_USER_SRP_AUTH
]

Ignoring the typo (the missing double quote for the second identifier), why are both explicit auth flows listed? Isn't ALLOW_USER_SRP_AUTH redundant, being included in ALLOW_USER_AUTH? Or am I misunderstanding the documentation for ExplicitAuthFlows, and they do need to be listed separately?

In summary: Is ALLOW_USER_SRP_AUTH redundant if ALLOW_USER_AUTH is included, or is it not redundant?

Solution

  • From the documentation, ALLOW_USER_SRP_AUTH is used to enable client-based authentication with username and SRP, while ALLOW_USER_AUTH is used to enable choice-based authentication, which can include secure remote password (SRP) authentication as an available authentication choice.

    Client-based authentication and choice-based authentication are separated authentication flow types with different parameters required for InitiateAuth or AdminInitiateAuth API call. Different authentication methods such as username-password, secure remote password (SRP) can be configured to available for both flows. The below example configuration

    "ExplicitAuthFlows": [ 
   "ALLOW_USER_AUTH",
   "ALLOW_USER_SRP_AUTH
]

    means that secure remote password (SRP) authentication is available for both client-based and choice-based authentication flows, hence ALLOW_USER_AUTH doesn't include ALLOW_USER_SRP_AUTH and vice versa