amplify-js: NotAuthorizedException : Cannot initiate DEVICE_SRP_AUTH flow without first authenticating

Before opening, please confirm:

I have searched for duplicate or closed issues and discussions.
I have read the guide for submitting bug reports.
I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Not applicable

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

# Put output below this line

  System:
    OS: macOS 12.6
    CPU: (8) arm64 Apple M1
    Memory: 70.39 MB / 16.00 GB
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 16.10.0 - ~/.nvm/versions/node/v16.10.0/bin/node
    Yarn: 3.2.4 - ~/.nvm/versions/node/v16.10.0/bin/yarn
    npm: 7.24.0 - ~/.nvm/versions/node/v16.10.0/bin/npm
    Watchman: 2022.10.24.00 - /opt/homebrew/bin/watchman
  Browsers:
    Chrome: 107.0.5304.87
    Firefox: 101.0.1
    Safari: 16.0
  npmPackages:
    @babel/core: 7.12.3 => 7.12.3 
    @my-scope/package-a:  0.0.0 
    @my-scope/package-b:  0.0.0 
    @testing-library/react: ^11.0.4 => 11.1.0 
    @testing-library/react-hooks: ^7.0.1 => 7.0.1 
    babel-jest: ^26.6.0 => 26.6.0 
    babel-loader: 8.1.0 => 8.1.0 
    babel-plugin-named-asset-import: ^0.3.7 => 0.3.8 
    baz:  undefined ()
    browser_field:  undefined ()
    date-fns: ^2.21.1 => undefined (2.16.1)
    invalid main:  undefined ()
    lint-staged: ^10.4.0 => 10.4.2 
    monorepo-symlink-test:  0.0.0 
    mylib:  0.0.0 
    react: ^16.9.0 => 16.14.0 
    react-autosuggest: ^10.0.0 => 10.0.3 
    react-datepicker: ^3.0.0 => 3.3.0 
    react-dom: ^16.9.0 => 16.14.0 
    react-redux: ^7.1.3 => 7.2.1 
    react-router-dom: ^5.1.2 => 5.2.0 
    react-transition-group: ^4.4.1 => 4.4.1 
    react-transition-group/CSSTransition:  undefined ()
    react-transition-group/ReplaceTransition:  undefined ()
    react-transition-group/SwitchTransition:  undefined ()
    react-transition-group/Transition:  undefined ()
    react-transition-group/TransitionGroup:  undefined ()
    react-transition-group/TransitionGroupContext:  undefined ()
    react-transition-group/config:  undefined ()
    resolve: 1.18.1 => 1.18.1 
    semver: 7.3.2 => undefined (5.7.1)
  npmGlobalPackages:
    corepack: 0.9.0
    npm: 7.24.0
    serve: 13.0.2
    yarn: 1.22.18

Describe the bug

When signing-in calling Auth.signIn (passing username and password), I get a NotAuthorizedException exception randomly.

I’ve verified that the username and password are correct (setting a breakpoint before calling Amplify).

If I call it again, it may or may not work. It seems random.

Network has the following 400 response when calling Cognito:

{“__type”:“NotAuthorizedException”,“message”:“Cannot initiate DEVICE_SRP_AUTH flow without first authenticating”}

I assume that, as we are not doing any custom challenge, that Amplify is trying to authenticate the device before it authenticates the user.

As mentioned earlier, it seems to be at random. If I click on the same button that class Auth.signIn, it may authenticate successfully.

We are using aws-amplify@4.1.0

Expected behavior

It should correctly authenticate the user.

Reproduction steps

Call Auth.signIn with a valid username and password.
It may fail at random

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 33 (17 by maintainers)

Most upvoted comments

Hi @wmaca-friday

If I sign and authenticate a device, device-related keys were kept in localStorage. If I close the browser, only id, access, refresh tokens and last username would be erased. Nothing related to the device.

Thanks for confirming this. This is the expected behavior, the device keys are retained in the localStorage while the other keys are erased. The device keys will be used to bypass MFA (if configured) the next time the user calls signIn.

Based on the error you had mentioned NotAuthorizeException, it’s possible that sometimes the correct deviceKeys are fed during signIn while sometimes it was not.

If my understanding of the issue is correct,

sometimes signIn throws NotAuthorizeException
if error occurs, we call signIn again, user successfully by-passes MFA and signs in

If possible could we always log the deviceKeys securely. When the error occurs, we could compare the current call (error) and the subsequent call (success) to check if the same deviceKeys were passed (this would verify our theory if the deviceKeys are getting mixed up)

ashwinkumar6 on Oct 13, 2023