qwigo · 3oris · Jul 12, 2018
diff --git a/warrant/aws_srp.py b/warrant/aws_srp.py
@@ -173,6 +173,7 @@ def get_secret_hash(username, client_id, client_secret):
         return base64.standard_b64encode(hmac_obj.digest()).decode('utf-8')
 
     def process_challenge(self, challenge_parameters):
+        internal_username = challenge_parameters['USERNAME']
         user_id_for_srp = challenge_parameters['USER_ID_FOR_SRP']
         salt_hex = challenge_parameters['SALT']
         srp_b_hex = challenge_parameters['SRP_B']
@@ -188,13 +189,13 @@ def process_challenge(self, challenge_parameters):
         hmac_obj = hmac.new(hkdf, msg, digestmod=hashlib.sha256)
         signature_string = base64.standard_b64encode(hmac_obj.digest())
         response = {'TIMESTAMP': timestamp,
-                    'USERNAME': user_id_for_srp,
+                    'USERNAME': internal_username,
                     'PASSWORD_CLAIM_SECRET_BLOCK': secret_block_b64,
                     'PASSWORD_CLAIM_SIGNATURE': signature_string.decode('utf-8')}
         if self.client_secret is not None:
             response.update({
                 "SECRET_HASH":
-                self.get_secret_hash(self.username, self.client_id, self.client_secret)})
+                self.get_secret_hash(internal_username, self.client_id, self.client_secret)})
         return response
 
     def authenticate_user(self, client=None):