Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
When using SRP_A (USER_SRP_AUTH) flow with Cognito in LocalStack, authentication succeeds but subsequent API calls with the returned access token fail with NotAuthorizedException: Invalid Access Token. This occurs even when:
ALLOW_USER_SRP_AUTHis explicitly enabled in app client configuration- Tokens include required scopes (
aws.cognito.signin.user.admin) - Client secret is generated
- Token structure and signature are valid
Expected Behavior
Access tokens generated via SRP_A flow should be accepted by LocalStack Cognito endpoints (e.g., GetUser, ListUsers) when configuration matches AWS Cognito standards.
How are you starting LocalStack?
With a docker-compose file
Steps To Reproduce
Setup with Cognito User Pool with aws-cdk-lib
I use aws-cdk-lib for backend.
User pool client config like
new cognito.UserPoolClient(this, 'client', {
userPool: this.userPool,
accessTokenValidity: cdk.Duration.hours(1),
authFlows: { userSrp: true },
idTokenValidity: cdk.Duration.hours(1),
disableOAuth: false,
supportedIdentityProviders: [
cognito.UserPoolClientIdentityProvider.COGNITO,
],
...other options
});How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
My docker compose file
version: '3.8'
services:
localstack:
container_name: '${LOCALSTACK_DOCKER_NAME:-localstack-main}'
image: localstack/localstack-pro
ports:
- '127.0.0.1:4566:4566' # LocalStack Gateway
- '127.0.0.1:4510-4559:4510-4559' # external services port range
- '127.0.0.1:443:443' # LocalStack HTTPS Gateway (Pro)
environment:
# LocalStack configuration: https://docs.localstack.cloud/references/configuration/
- DEBUG=${DEBUG:-0}
- LOCALSTACK_AUTH_TOKEN=${LOCALSTACK_AUTH_TOKEN- }
- PERSISTENCE=1
- SERVICES=cloudformation,ssm,iam,sns,logs,lambda,dynamodb,sqs,ecr,apigateway,route53,cognito-idp,events
- LAMBDA_EXECUTOR=docker-reuse
- [email protected]
volumes:
- '${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack'
- '/var/run/docker.sock:/var/run/docker.sock'
- './localstack/ready:/etc/localstack/init/ready.d'
docker compose up to start LocalStack Pro
cdklocal bootstrap and cdklocal deploy --all --require-approval never to deploy CDK to LocalStack.
Backend CDK AuthCommands
My InitiateAuthCommand like
const initiateCommand = new InitiateAuthCommand({
ClientId: userPoolClientId,
AuthFlow: 'USER_SRP_AUTH',
AuthParameters: {
USERNAME: email,
SRP_A: srp_a,
},
});And RespondToAuthChallengeCommand like
const respondCommand = new RespondToAuthChallengeCommand({
ClientId: userPoolClientId,
ChallengeName: 'PASSWORD_VERIFIER',
ChallengeResponses: {
PASSWORD_CLAIM_SIGNATURE: signature,
PASSWORD_CLAIM_SECRET_BLOCK: secretBlock,
TIMESTAMP: timestamp,
USERNAME: signInUserId,
},
});Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)
I use cognito-srp to generate SRP and signature.
After get Access Token from backend, use it
awslocal cognito-idp get-user --access-token $access_toke
Environment
- OS:macOS Sonoma v14.6.1
- LocalStack:
LocalStack version: latest, 4.5
LocalStack Docker image sha: sha256:14f6c3dbf99a895299f79247bad646b754ffd14e8d7027532bef08a66d3f932eAnything else?
Seems USER_AUTH flow is just supported recently. So maybe USER_SRP_AUTH not yet fully supported yet?
https://blog.localstack.cloud/localstack-release-v-4-4-0/#miscellaneous