This module's admin_reset_user_password function has an optional client_metadata parameter. The default value of this parameter is None, but if you call the function without specifying any client metadata, you get this error:

Parameter validation failed:
Invalid type for parameter ClientMetadata, value: None, type: <class 'NoneType'>, valid types: <class 'dict'>

The solution is to pass an empty dictionary to client_metadata, which should be the default for that parameter.

admin_disable_user never uses the provided username parameter. It will disable the current user - if any:

    def admin_disable_user(self, username):
        """
        Disable a user
        :param username:
        :return:
        """
        self.client.admin_disable_user(
            UserPoolId=self.user_pool_id,
            Username=self.username,
        )

It should be:

    def admin_disable_user(self, username):
        """
        Disable a user
        :param username:
        :return:
        """
        self.client.admin_disable_user(
            UserPoolId=self.user_pool_id,
            Username=username,
        )

Today I kept receiveing the following exception:

File ".venv/lib/python3.10/site-packages/pycognito/__init__.py", line 496, in authenticate
    self._set_tokens(tokens)

  File ".venv/lib/python3.10/site-packages/pycognito/__init__.py", line 768, in _set_tokens
    self.verify_token(

  File ".venv/lib/python3.10/site-packages/pycognito/__init__.py", line 267, in verify_token
    raise TokenVerificationException(

pycognito.exceptions.TokenVerificationException: Your 'access_token' token could not be verified (The token is not yet valid (iat)).

After investigating, it appears to be some time synchronization issue.

The default time leeway for PyJWT is 0, which was too short for me.

My fix was to pass the parameter leeway to the jwt_api.jwt.decode_complete call (__init__.py line 255 as of today).

A better fix would be to pass that parameter somewhere in the chain. Either in the constructor or the authenticate method call.

I'm using django-ses and djlint.
I got the following warning when I installed django-ses.

djlint 1.9.3 requires importlib-metadata<5.0.0,>=4.11.0, but you have importlib-metadata 1.7.0 which is incompatible.

django-ses 3.1.0 requires importlib-metadata<2.0,>=1.0; python_version < "3.8", but you have importlib-metadata 4.12.0 which is incompatible.

I found that the import-metadata version specification that django-ses depends on is out of date. Is it possible to update this version?

When setting up login for users with SMS security enabled, I'm getting a 'User not found' exception.

import boto3
from pycognito import Cognito, MFAChallengeException
from pycognito.aws_srp import AWSSRP

def login(self):
    client = boto3.client('cognito-idp', self.region_name)
    aws = Cognito(self.pool_id, self.app_client_id, username=self.email)
    
    try:
        response = aws.authenticate(password=password)
    except MFAChallengeException as mfa:
        # I print the exception body; it includes a session and correct challenge parameters, and I am receiving the text code
        sms_code = input('Please check your text messages and enter the security code:')  # verified to be the correct input string
        aws.respond_to_sms_mfa_challenge(sms_code)  # done this with and without the mfa.get_tokens() value; same error

My error:
botocore.errorfactory.UserNotFoundException: An error occurred (UserNotFoundException) when calling the RespondToAuthChallenge operation: User does not exist.

I've verified the SMS code / username combo elsewhere, so it's specific to this use case.

A ValueError is sometimes being raised when attempting to authenticate credentials. The error occurs when a salt value contains a leading dash. For example: -16e462a84f2df159eee0c14642974ee7. This seems to only happen when a given username does not exist within the userpool? But not always.

The value error contains this message: non-hexadecimal number found in fromhex() arg at position 0

I have tracked it down to this snippet (line 174 in aws_srp.py):

x_value = hex_to_long(hex_hash(pad_hex(salt) + username_password_hash))

in the hex_hash function:

def hex_hash(hex_string):
    return hash_sha256(bytearray.fromhex(hex_string))

I would submit a fix but I am not sure how the application is expected to handle these kinds of scenarios.

@pvizeli @tsibley

Since Pycognito is updated to 2021.03.1 , and used in HA 2021.5.x, since its part of the new NabuCasa 0.43.0 , i receive error below... in this release there was a new PR :

#43
seems related to a token change?

the below error, i only receive when i do a full HassOS reboot , so in first boot, the "Cloud" Integrations fails to start/load, so i can only acces HA on local IP... if i do a restart of HA afterwards, then it succeeds, and cloud loads succesfully
the error below, only comes when i do a full reboot of HassOs 5.13 (tested also 6.0 rc1)

Any idea what could be wrong?

2021-05-10 11:42:54 ERROR (MainThread) [hass_nabucasa.remote] Unexpected error in Remote UI loop
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/remote.py", line 379, in _certificate_handler
    if not await self.load_backend():
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/remote.py", line 137, in load_backend
    resp = await cloud_api.async_remote_register(self.cloud)
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/cloud_api.py", line 16, in check_token
    await cloud.auth.async_check_token()
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/auth.py", line 172, in async_check_token
    await self._async_renew_access_token()
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/auth.py", line 199, in _async_renew_access_token
    await self.cloud.run_executor(cognito.renew_access_token)
  File "/usr/local/lib/python3.8/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.8/site-packages/pycognito/__init__.py", line 636, in renew_access_token
    self._set_tokens(refresh_response)
  File "/usr/local/lib/python3.8/site-packages/pycognito/__init__.py", line 708, in _set_tokens
    self.verify_token(tokens["AuthenticationResult"]["IdToken"], "id_token", "id")
  File "/usr/local/lib/python3.8/site-packages/pycognito/__init__.py", line 254, in verify_token
    raise TokenVerificationException(
pycognito.exceptions.TokenVerificationException: Your 'id_token' token could not be verified.
2021-05-10 11:42:56 ERROR (MainThread) [hass_nabucasa.iot] Unexpected error
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/iot_base.py", line 108, in connect
    await self._handle_connection()
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/iot_base.py", line 147, in _handle_connection
    await self.cloud.auth.async_check_token()
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/auth.py", line 172, in async_check_token
    await self._async_renew_access_token()
  File "/usr/local/lib/python3.8/site-packages/hass_nabucasa/auth.py", line 199, in _async_renew_access_token
    await self.cloud.run_executor(cognito.renew_access_token)
  File "/usr/local/lib/python3.8/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.8/site-packages/pycognito/__init__.py", line 636, in renew_access_token
    self._set_tokens(refresh_response)
  File "/usr/local/lib/python3.8/site-packages/pycognito/__init__.py", line 708, in _set_tokens
    self.verify_token(tokens["AuthenticationResult"]["IdToken"], "id_token", "id")
  File "/usr/local/lib/python3.8/site-packages/pycognito/__init__.py", line 254, in verify_token
    raise TokenVerificationException(
pycognito.exceptions.TokenVerificationException: Your 'id_token' token could not be verified.

I am trying to renew the auth token using renew_access_token

Traceback (most recent call last):
  File "testpycognito.py", line 80, in <module>
    u.renew_access_token( )
  File "/home/ubuntu/.local/lib/python3.8/site-packages/pycognito/__init__.py", line 617, in renew_access_token
    refresh_response = self.client.initiate_auth(
  File "/home/ubuntu/.local/lib/python3.8/site-packages/botocore/client.py", line 337, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/ubuntu/.local/lib/python3.8/site-packages/botocore/client.py", line 656, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Unable to verify secret hash for client 3ol********************bd3

This is not an access problem
I manually performed the operation outside of the package and it works

     username = jwt.decode(id_token, verify=False)
      response = cidpClient.initiate_auth(
                 ClientId=clientId,
                 AuthFlow='REFRESH_TOKEN_AUTH',
                 AuthParameters={
                     'REFRESH_TOKEN': refresh_token,
                     'SECRET_HASH': get_secret_hash(clientId, clientSecret, username["cognito:username"]),
                  })

Also the SECURE_HASH from both operations are the same

Any help will be appreciated

Hi Guys

Would love to see device SRP support, I'm really struggling to figure out https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-remembered-devices/ in python. No matter what combination of things I do, this fails.

I'd be happy to contribute where I got up to in exchange for some TLC.

Let me know

In some implementations of logins are proxying calls through their own systems. Botoclient has a endpoint_url parameter, but pycognito doesn't allow to pass it. Also, when using this lib from an internal corporate network, the ssl fails as there is one self signed cert in the chain, I would like to be able to configure those.

RequestSrpAuth should have it and Cognito, which takes it and packs in kwargs for boto client.

• use_ssl
• verify
• endpoint_url

Please consider using a different cryptography library that is currently maintained.

Is there a way to send the confirmation email that a new user receives upon signup?

It seems impossible to register a user when using a client secret.

Steps to reproduce: have a user pool with no users and with an app client with a secret.

u = Cognito(user_pool_id='eu-central-1_...',
    client_id='...',
    client_secret='...')
u.set_base_attributes(email='[email protected]')
u.register('person', 'password')

Crashes with:

---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
<ipython-input-22-d291537f4dbd> in <module>
      1 u.set_base_attributes(email='[email protected]')
----> 2 u.register('person', '...')

~/.local/lib/python3.8/site-packages/pycognito/__init__.py in register(self, username, password, attr_map)
    346             "UserAttributes": cognito_attributes,
    347         }
--> 348         self._add_secret_hash(params, "SecretHash")
    349         response = self.client.sign_up(**params)
    350 

~/.local/lib/python3.8/site-packages/pycognito/__init__.py in _add_secret_hash(self, parameters, key)
    690         """
    691         if self.client_secret is not None:
--> 692             secret_hash = AWSSRP.get_secret_hash(
    693                 self.username, self.client_id, self.client_secret
    694             )

~/.local/lib/python3.8/site-packages/pycognito/aws_srp.py in get_secret_hash(username, client_id, client_secret)
    199     @staticmethod
    200     def get_secret_hash(username, client_id, client_secret):
--> 201         message = bytearray(username + client_id, "utf-8")
    202         hmac_obj = hmac.new(bytearray(client_secret, "utf-8"), message, hashlib.sha256)
    203         return base64.standard_b64encode(hmac_obj.digest()).decode("utf-8")

TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

This is caused by https://github.com/pvizeli/pycognito/blob/6c173cf0bb26e40a941be188670c7c592b46eeb8/pycognito/__init__.py#L693 operating on self.username which is not initialized.
I think adding self.username = username around https://github.com/pvizeli/pycognito/blob/6c173cf0bb26e40a941be188670c7c592b46eeb8/pycognito/__init__.py#L334 would fix it without breaking any code using _add_secret_hash. Please let me know if this is OK for you and I will submit a PR.

Hi there --

In a monthly automated scan, a dependency of this library showed a security vulnerability.

Tracing the dependency tree, it looks like pycognito -> python-jose[cryptography] -> ecdsa. Normally I would look to the source of the issue for a fix, but it seems that:

• ecdsa does not plan to fix it
• python-jose is not responding to requests to remove ecdsa lib from their dep tree

It's particularly unfortunate since python-jose claims that the library in question isn't even in use for python-jose[cryptography]. Alas, for reporting reasons, my team will need to address it regardless.

I was hoping you could provide me some clarity on whether or not you intend to address the vulnerability within the scope of this library.

Thank you for reading, and thank you for your contributions to OSS!

After authentication, I want to return the token to the front-end team, but as I can see you are not returning anything from the authentication, so whatever line of code I wrote after the authenticate line, never runs.
Example:

u = Cognito('your-user-pool-id','your-client-id', username='bob')
u.authenticate(password='bobs-password')
print("@"*50)

In this line of code, the print statement never executes, because we didn't get any response from the authenticate method.

normal user auth does handle SRP so I guess this should be relatively simple to fix.

So I have a user set to NEW_PASSWORD_REQUIRED and the code failed on the admin_authenticate method....

this is the error:
self.verify_token(tokens["AuthenticationResult"]["IdToken"], "id_token", "id") KeyError: 'AuthenticationResult'

so my idea is to add a verification here to raise or redirect the user to set a new password.... any idea?
Here is the token result I got from the admin_initiated_auth

{'ChallengeName': 'NEW_PASSWORD_REQUIRED', 'Session': 'very_long_string', 'ChallengeParameters': {'USER_ID_FOR_SRP': 'cognito_test', 'requiredAttributes': '[]', 'userAttributes': '{"email_verified":"true","email":"[email protected]"}'}, 'ResponseMetadata': {'RequestId': '111111-d49a-40f5-bef6-111111', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Wed, 25 Mar 2020 13:22:28 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '1190', 'connection': 'keep-alive', 'x-amzn-requestid': '1111-d49a-40f5-bef6-1111'}, 'RetryAttempts': 0}}

For some reason access tokens acquired via boto3 do not have at_hash claims, but when you use id tokens from the hosted ui, they have at_hash claims. To use jose.jwt.decode on these tokens you have to pass in the access_token at the same time as the ID token or it raises an error.

It may seem like a weird use case to use tokens from the hosted UI with the library but there is some stuff the hosted UI can't do (like update user attributes) that it's nice to use pycognito for. It would be nice if this could be resolved, it might be as simple as changing the decode call to always include the access token.

Objective

I want to verify that a method call did what was expected.

How to accomplish it

Returning the underlying boto3 response from a method call would achieve this.

For example the init.py/initiate_forgot_password method could be

def initiate_forgot_password(self):
        """
        Sends a verification code to the user to use to change their password.
        """
        params = {"ClientId": self.client_id, "Username": self.username}
        self._add_secret_hash(params, "SecretHash")
        return self.client.forgot_password(**params) # Added return

Justification

Calling initiate_forgot_password when a user hasn't verified their signup information doesn't seem to send a password request. The type definitions for mypy_boto3 indicate that it could be useful to see the response information.

From mypy_boto3_congito_idp

def forgot_password(
        self,
        *,
        ClientId: str,
        Username: str,
        SecretHash: str = ...,
        UserContextData: UserContextDataTypeTypeDef = ...,
        AnalyticsMetadata: AnalyticsMetadataTypeTypeDef = ...,
        ClientMetadata: Mapping[str, str] = ...
    ) -> ForgotPasswordResponseTypeDef:
        """
        Calling this API causes a message to be sent to the end user with a confirmation
        code that is required to change the user's password.

        [Show boto3 documentation](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp.html#CognitoIdentityProvider.Client.forgot_password)
        [Show boto3-stubs documentation](https://youtype.github.io/boto3_stubs_docs/mypy_boto3_cognito_idp/client/#forgot_password)
        """

So this:

resp = user.initiate_forgot_password()
print(resp) # empty

becomes:

resp = user.initiate_forgot_password()
print(resp)

{
    'CodeDeliveryDetails': {'Destination': 's***@y***', 'DeliveryMedium': 'EMAIL', 'AttributeName': 'email'},
    'ResponseMetadata': {
        ...,
        'HTTPStatusCode': 200,
        'HTTPHeaders': {
            ...
        },
        'RetryAttempts': 0
    }
}

which at least let's you see if the medium is near what was expected. In my case I noticed a user's email was wrong

Hi, I am using pycognito following your authenticate example from the README.

When I run the authenticate() method on a Cognito instance (created with a Cognito User Pool ID, Cognito Client ID, and username), I do not get an instance with the .expires_in or .expires_datetime attributes as described. I do see id_token, refresh_token, access_token, and token_type, though.

Hello,
I got the following error during the registration procedure.

u.register(username, password)
File "/site-packages/pycognito/init.py", line 350, in register
self._add_secret_hash(params, "SecretHash")
File "/site-packages/pycognito/init.py", line 695, in _add_secret_hash
secret_hash = AWSSRP.get_secret_hash(
File "site-packages/pycognito/aws_srp.py", line 201, in get_secret_hash
message = bytearray(username + client_id, "utf-8")
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

The username has None value in get_secret_hash because the attribute passed via registrer function is not updating the self.username .
To use the register procedure , i am passing the attribute username to the Cognito object, but this is not described in the documentation.

Using poetry I'm seeing poetry fail to resolve (taking hours on Github Actions) when pycognito is in the dependency list.

It appears to be because the dependency specifier boto3>=1.10.49 includes many hundreds of released versions of boto3, poetry has to download the individual packages to inspect them to work out the transitive dependencies. This isn't an issue with your dependency specification as there shouldn't be any requirement to only support the most recent 10's of releases. But on the off chance this helps other users, I'm going to restrict my own project to require a more recent version of boto3 to work around poetry.

Is it possible to create a user without the need to verify the email?

I know that the AWS interface, there is a flag for this ...

Hi, firstly thanks for maintaining this.

I'm not a developer, just a user with python knowledge struggling through old threads and forks to implement a complete workflow in python to login a user get a bearer token and start using an API.

Here is shortened code with key bits:-

from pycognito.aws_srp import AWSSRP

client = boto3.client('cognito-idp', region_name='eu-central-1', config=my_config)

try:
    aws = AWSSRP(username=user, password=passw, pool_id=pool_id, client_id=client_id, client=client)
except client.exceptions.NotAuthorizedException as e:
    print(f"error: {e}")

auth_init = client.initiate_auth(AuthFlow='USER_SRP_AUTH', AuthParameters=aws.get_auth_params(), ClientId=client_id)

c_resp = aws.process_challenge(auth_init['ChallengeParameters'])

response = client.respond_to_auth_challenge(ClientId=client_id, ChallengeName=auth_init['ChallengeName'], ChallengeResponses=c_resp)

It fails at last line with "botocore.errorfactory.NotAuthorizedException" wrong username or password.

I think I'm missing a step in my flow since the auth_init and c_resp seem to produce the correct parameters:-

auth_init:
{'ChallengeName': 'PASSWORD_VERIFIER',
'ChallengeParameters': {'SALT': 'a9a...', 'SECRET_BLOCK': '9p1/...', 'SRP_B': '979', 'USERNAME': 'a2c...', 'USER_ID_FOR_SRP': 'a2cc....'}, 'ResponseMetadata': {'RequestId': 'c7bea..', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Wed, 29 Sep 2021 08:56:46 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '2730', 'connection': 'keep-alive', 'x-amzn-requestid': 'c7bea...'}, 'RetryAttempts': 0}}

c_resp:
{'TIMESTAMP': 'Wed Sep 29 08:56:46 UTC 2021',
'USERNAME': 'a2cc.....',
'PASSWORD_CLAIM_SECRET_BLOCK': '9p1/....',
'PASSWORD_CLAIM_SIGNATURE': 'g+CZ...'}

I realise this is probably not an issue with your code, rather my poor implementation, but any guidance would be appreciated.

I can't find a correct way to log in as an administrator.

This line should be mfa_tokens not self.mfa_tokens:
https://github.com/pvizeli/pycognito/blob/dd93b41bea07be48ad54b1e5dca878d847195f31/pycognito/__init__.py#L1020

Is there a way to do a case-insensitive search of a username?

I'm trying to do:

cog = Cognito(...)
users = cog.get_users(attr_map={"username":"someUserName"})

However, the list of users returned appears to be everything in my pool. Is this the expected behavior, or am I using this incorrectly?

How would I find a user called "someusername" vs "someUserName"? I've found that the search feature in the AWS Cognito user search page is case-sensitive, which makes searching very error prone when usernames may contain inconsistent casing.

It looks like the latest release is inconsistent with the semantic versioning that was happening before. Was this intentional?

Currently we have an an easy access to attributes but not to custom JWT claims added by a pre-token generation lambda

You can can get the decoded ID Token with

Cognito.verify_token(id_token,"id_token","id")

but it's kind of hacky, otherwise you're on your own to decode the ID token and extract the claims.

It would be nice to have a proper route to access these custom claims!

Hi,
(great library by the way!)

Are there any plans to add device confirmation support into pycognito? specifically, so that the boto3 confirm_device and update_device_status are supported? This would then allow device-based authentication (i.e. with a token) once the initial user authentication has passed.

I'm working on adding this support to my own copy of this library. If I succeed, would a PR be of interest?

thanks
James

I'm trying to fetch data from a user using pycognito.

This code give all de users in the pool, so the connection to AWS is working fine

    c = Cognito(
        cognito_service.COGNITO_USER_POOL_ID, cognito_service.COGNITO_APP_CLIENT_ID
    )
    response = c.get_users(attr_map={})

But the same code using get_user_obj

    c = Cognito(
        cognito_service.COGNITO_USER_POOL_ID, cognito_service.COGNITO_APP_CLIENT_ID
    )
    response = c.get_user_obj(username=username, attribute_list=[{}])

Always return a dummy object with all values set to None except for the username that is populated allways, also with not existing users.

I have tested also get_user

    c = Cognito(
        cognito_service.COGNITO_USER_POOL_ID,
        cognito_service.COGNITO_APP_CLIENT_ID,
        username=username,
    )
    response = c.get_user(attr_map={})

That raise a boto3 exception

botocore.exceptions.ParamValidationError: Parameter validation failed:
Invalid type for parameter AccessToken, value: None, type: <class 'NoneType'>, valid types: <class 'str'>

My cognito pool use only "email", not "username" for login, I'm not sure if is de reason for the error.

Any hint to solve my issues fetching the user data?

Hi @pvizeli

I've managed to setup Cognito user pool and identity pools. I'm also able to authenticate and I get back id_token, access_token, refresh_token, Pool_JWK (This contains a couple of RSA keys with Key_id and Key_secret) but I am not able to use any of these to connect to S3 bucket.

Could you please help or share links on how I could use these tokens to access AWS services?

Thank you all for taking the time to help

The comments of the admin_create_user method indicate that it is an optional parameter and if omitted, Cognito will generate a temporary password. When I try to use the method in this manner, I get errors that the temporary password provided is invalid.

Based on the boto3 documentation for this action at https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp.html#CognitoIdentityProvider.Client.admin_create_user, it looks like the TemporaryPassword parameter needs to be omitted from the request to let Cognito generate the temporary password for you, but the code in this library is always passing the parameter in, even if it is an empty string or None.

I have an error with regenerating the token after it expires, if you use an app with the secret.
I pass both the username and secret parameters, but it says that

"""

 u = Cognito(COGNITO_POOL_ID, APP_CLIENT_ID, client_secret=APP_SECRET_KEY, username=email1, id_token=id_token, refresh_token=refresh_token, access_token=access_token)

u.check_token()

An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: SecretHash does not match for the client: XXXXXXXXXX
"""
the secret is correct because other functions such as registration or profile update work

without the secret instead it works correctly

Would it make sense to cache requests made to https://cognito-idp.{aws-region}.amazonaws.com/{user-pool-id}/.well-known/jwks.json since otherwise we would always make an request to get basically static data.

I know about the env variable COGNITO_JWKS but it does not feel right to hardcode this information inside an env variable. Ofcourse I could implement the caching outside of the Cognito class und set the env variable but why not have it directly inside instead?

Hello,

A vulnerability scan flagged the upstream dependency cryptography (pycognito -> pyjwt[crypto] -> cryptography) that is fixed for versions > 42.0.4. See: GHSA-6vqw-3v5j-54x4

This update to cryptography causing breaking changes where:

from pycognito import Cognito

idToken = '<idToken>'
accessToken = '<accessToken>'

userPoolId='<userPoolId>'
clientId = '<clientId>'
region='<region>'

u = Cognito(
    user_pool_id=userPoolId,
    client_id=clientId,
    user_pool_region=region,
    id_token=idToken,
    access_token=accessToken
)
u.verify_tokens()

Results in:

>> TypeError: argument 'data': from_buffer() cannot return the address of a unicode object

with the error occurring upstream in jwt

If you attempt to pass the tokens in as bytes you get:

>> TypeError: a bytes-like object is required, not 'str'

Where the error occurs within pycognito.

I have created a PR to fix this breaking change by handling the cases at these two points of failure: #222

In the process_challenge function, there is a call to strftime that depends on the current locale. If it is not English, AWS will respond with this error:

TIMESTAMP format should be EEE MMM d HH:mm:ss z yyyy in english

The problem can be reproduced like this:

locale.setlocale(locale.LC_TIME, "nb_NO.utf-8")
u = Cognito(...)
u.authenticate(...)