0.01
No release in over a year
Unofficial Ruby library implementing AWS Cognito's SRP authentication flow
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 2.2
~> 13.0
>= 0
~> 3.0
~> 1.9

Runtime

 Project Readme

Aws::CognitoSrp for Ruby

Gem Version CI

An unofficial Ruby library implementing AWS Cognito's SRP authentication flow.

Originally translated from Python's Warrant by Jonathan Viney, packaged into this gem by Pedro Carbajal.

Installation

In your Gemfile:

gem 'aws-cognito-srp'

Usage

require "aws-cognito-srp"

aws_srp = Aws::CognitoSrp.new(
  username:      "username",
  password:      "password",
  pool_id:       "pool-id",
  client_id:     "client-id",
  client_secret: "client-secret", # Optional
  aws_client:    Aws::CognitoIdentityProvider::Client.new(region: "aws-region")
)

resp = aws_srp.authenticate

# Read tokens
resp.id_token
resp.access_token
resp.refresh_token

# A few hours later ... ⌛️

new_tokens = aws_srp.refresh_tokens(resp.refresh_token)

USER_ID_FOR_SRP

In case you need access to the USER_ID_FOR_SRP value from the auth response, you can do so by calling aws_srp.user_id_for_srp after the initial auth (aws_srp being the same as in the code example above).

If you're using a client_secret and calling #refresh_tokens in a different instance than the one that performed the initial call to #authenticate you will have to pass the USER_ID_FOR_SRP value as a keyword argument:

new_tokens = aws_srp.refresh_token(resp.refresh_token,
                                   user_id_for_srp: your_user_id_for_srp)

MFA (multi-factor authentication)

If you're using MFA you should check for the challenge after calling #authenticate and respond accordingly with #respond_to_mfa_challenge.

resp = aws_srp.authenticate

if resp.respond_to?(:challenge_name) && resp.mfa_challenge?
  user_code = get.chomp # Get MFA code from user

  resp = aws_srp.respond_to_mfa_challenge(
    user_code,
    auth_response: resp
  )
end

resp.id_token
resp.access_token
resp.refresh_token

Note that when #authenticate results in a successful authentication it returns a AuthenticationResultType (AWS SDK docs), i.e. an object that responds to #id_token, #access_token, etc.

However, when a MFA challenge step occurs, #authenticate instead returns a RespondToAuthChallengeResponse (AWS SDK docs), which you can check for with .respond_to?(:challenge_name) as in the above example. The RespondToAuthChallengeResponse object will be extended with the convenience methods #mfa_challenge?, #software_token_mfa? and #sms_mfa?.

The #respond_to_mfa_challenge method can be called with the following signatures:

#respond_to_mfa_challenge(user_code, auth_response: [, user_id_for_srp:])
#respond_to_mfa_challenge(user_code, challenge_name:, session: [, user_id_for_srp:])

Supported rubies

This gem is tested against and supports Ruby 2.4 through 3.3, JRuby and TruffleRuby.

Development

After checking out the repo, run bin/setup to install dependencies. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and the created tag, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/beezwax/aws-cognito-srp-ruby

Disclaimer

This project is not sponsored by or otherwise affiliated with Amazon Web Services, Inc., an Amazon.com, Inc. subsidiary. AWS and Amazon Cognito are trademarks of Amazon.com, Inc., or its affiliates in the United States and/or other countries.