cognito_srp

Pure Rust implementation of AWS cognito SRP password authenticated key-exchange algorithm.

The library is a port of Python warrant library's cryptography with a different interface.

The library is not production ready.

Security Warning

The code has not been audited for security risks and the implementation might not be correct.

USE AT YOUR OWN RISK!

Minimum Supported Rust Version

Rust 1.56 or higher.

License

Crate is licensed under

• MIT license

Usage

Instantiate a SrpClient, use get_auth_params function for the SDK cognito idp initiate_auth challenge response flow initiate step

Use process_challenge to generate the response to the server challenge.

    let srp_client = SrpClient::new();

    let srp_client = SrpClient::new(
        "COGNITO_USERNAME",
        "COGNITO_PASSWORD",
        "COGNITO_POOL_ID",
        "COGNITO_CLIENT_ID",
        None,
    );

    let auth_init_res = cognito_client
        .initiate_auth()
        .auth_flow(AuthFlowType::UserSrpAuth)
        .client_id("cognito client id".to_string())
        .set_auth_parameters(Some(srp_client.get_auth_params().unwrap()))
        .send()
        .await;

    let auth_init_out = auth_init_res.unwrap();

    let challenge_params =
        auth_init_out
            .challenge_parameters
            .unwrap();
    let challenge_responses =
        srp_client.process_challenge(challenge_params).unwrap();

    let password_challenge_result = cognito_client
        .respond_to_auth_challenge()
        .set_challenge_responses(Some(challenge_responses))
        .client_id("cognito client id".to_string())
        .challenge_name(ChallengeNameType::PasswordVerifier)
        .send()
        .await;

    let password_challenge_response = password_challenge_result.unwrap();

A comprehensive example integrating with AWS SDK for rust is available here: https://github.com/lucdew/cognito-srp-auth

Tests

Only tested manually without any client secret.