Search code examples
amazon-web-servicesamazon-cognitoaws-php-sdk

Amazon Cognito - Advanced Security Device of User is not listed correctly

I am using Amazon Cognito with Advanced Security enabled (currently in AUDIT only). I am not using a hosted UI. I call Cognito via the AWS SDK in PHP from a backend server while the frontend is gathering the data required for Advanced Security according to https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-advanced-security-app.html
The data gathered looks fine and contains the correct Device and OS from the client. (for example Windows + Chrome).

Decoded payload gathered in the fronted looks like this

'{"payload":"{\\"contextData\\":{\\"UserAgent\\":\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36\\",\\"DeviceId\\":\\"XXXX:XXXX\\",\\"DeviceLanguage\\":\\"de-DE\\",\\"DeviceFingerprint\\":\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36PDF Viewer:Chrome PDF Viewer:Chromium PDF Viewer:Microsoft Edge PDF Viewer:WebKit built-in PDF:de-DE\\",\\"DevicePlatform\\":\\"Win32\\",\\"ClientTimezone\\":\\"02:00\\"},\\"username\\":\\"XXX\\",\\"userPoolId\\":\\"XXX\\",\\"timestamp\\":\\"1666690380680\\"}","signature":"XXXX","version":"JS20171115"}'

Inside of Cognito it looks like this enter image description here

The shown device is probably our backend server, this seems wrong.

Backend call looks like this for login

$this->client->initiateAuth([
            'AuthFlow' => 'USER_PASSWORD_AUTH',
            'AuthParameters' => [
                'USERNAME' => $username,
                'PASSWORD' => $password,
                'SECRET_HASH' => $secret,

            ],
            'ClientMetadata' => [
                ...
            ],
            'ClientId' => $this->clientId,
            'UserContextData' => [
                'EncodedData' => $encodedData,
                'IpAddress' => $ip,
            ],
        ]);

I am also sending this data for forgotPassword, confirmForgotPassword and signUp with the same result showing Linux as device.

Why is the client device from the encoded data not shown in Cognito? It looks like that Cognito is ignoring me sending the encoded data and uses only my request information, which would break the whole concept of advanced security.

Solution

  • After changing from initiateAuth to adminInitiateAuth I can see the correct devices at least in the cognito overview.