AWS code-library documentation change
Summary
Added SAP ABAP code example for AdminRespondToAuthChallenge operation with MFA challenge handling
Security assessment
Documents secure implementation of MFA challenge response flow including SECRET_HASH handling, but doesn't address a specific security vulnerability
Diff
diff --git a/code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md b/code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md index 10c64e21e..b21add520 100644 --- a//code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md +++ b//code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md @@ -374,0 +375,65 @@ Respond to an MFA challenge by providing a code generated by an associated MFA a +SAP ABAP + + +**SDK for SAP ABAP** + + +###### Note + +There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cgp#code-examples). + + + TRY. + " Build challenge responses + DATA(lt_challenge_responses) = VALUE /aws1/cl_cgpchallengerspstyp00=>tt_challengeresponsestype( + ( VALUE /aws1/cl_cgpchallengerspstyp00=>ts_challengerspstype_maprow( + key = 'USERNAME' + value = NEW /aws1/cl_cgpchallengerspstyp00( iv_user_name ) ) ) + ( VALUE /aws1/cl_cgpchallengerspstyp00=>ts_challengerspstype_maprow( + key = 'SOFTWARE_TOKEN_MFA_CODE' + value = NEW /aws1/cl_cgpchallengerspstyp00( iv_mfa_code ) ) ) + ). + + " Add SECRET_HASH if provided + IF iv_secret_hash IS NOT INITIAL. + INSERT VALUE #( + key = 'SECRET_HASH' + value = NEW /aws1/cl_cgpchallengerspstyp00( iv_secret_hash ) + ) INTO TABLE lt_challenge_responses. + ENDIF. + + DATA(lo_result) = lo_cgp->adminrespondtoauthchallenge( + iv_userpoolid = iv_user_pool_id + iv_clientid = iv_client_id + iv_challengename = 'SOFTWARE_TOKEN_MFA' + it_challengeresponses = lt_challenge_responses + iv_session = iv_session + ). + + oo_auth_result = lo_result->get_authenticationresult( ). + + IF oo_auth_result IS BOUND. + MESSAGE 'MFA challenge completed successfully.' TYPE 'I'. + ELSE. + " Another challenge might be required + DATA(lv_next_challenge) = lo_result->get_challengename( ). + MESSAGE |Additional challenge required: { lv_next_challenge }.| TYPE 'I'. + ENDIF. + + CATCH /aws1/cx_cgpcodemismatchex INTO DATA(lo_code_ex). + MESSAGE 'Invalid MFA code provided.' TYPE 'E'. + + CATCH /aws1/cx_cgpexpiredcodeex INTO DATA(lo_expired_ex). + MESSAGE 'MFA code has expired.' TYPE 'E'. + + CATCH /aws1/cx_cgpnotauthorizedex INTO DATA(lo_auth_ex). + MESSAGE 'Not authorized. Check MFA configuration.' TYPE 'E'. + ENDTRY. + + + + * For API details, see [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in _AWS SDK for SAP ABAP API reference_. + + + +