Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are the Cognito User pool id and Client Id sensitive?

Tags:

amazon-web-services

aws-cognito

Does anyone know if the User Pool Id and Client Id are sensitive? Currently I have them sitting on the frontend and was just wondering if this is dangerous. If it is, how can they be exploited?

like image 596
Sello Mkantjwa Avatar asked Dec 15 '17 13:12

Sello Mkantjwa

People also ask

Is Cognito client ID a secret?

Because it does not have trusted server-side resources, it does not have a client secret. A confidential client has server-side resources that can be trusted with a client secret for unauthenticated API operations. The app might run as a daemon or shell script on your backend server.

What is the main difference between Cognito user pool and Cognito identity pool?

With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.

What is Cognito user pool ID?

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.

Is username unique in Cognito?

A username is always required to register a user, and it cannot be changed after a user is created. The username must be unique within a user pool. A username can be reused, but only after it has been deleted and is no longer in use.

1 Answers

No, they are not. They are supposed to be public. The only way they can be exploited is that someone can use them to make a large amount of SignUp calls to your userpool. But as long as these registrations are not verified, these won't be converted into active users (unless you have enabled auto-verification of users). This is not an AWS specific issue. Fake registrations are a big headache and one will face this issue even if there is no SignUp api being used and a PHP backend is used for registration. The only way to face this is email/phone verification.

Of course, if you have disabled SignUp in your userpool i.e. only Admins can create users then this is not an issue at all.

like image 179
agent420 Avatar answered Sep 28 '22 00:09

agent420
Sign in to Comment

Related questions

Using Boto to connect to S3 with Python
Deploying a Laravel 4 app on AWS Elastic Beanstalk
Send emails from AWS EC2 instance (SES mandatory?)
Specify byte range via query string in Get Object S3 request
Why does Chrome hate self-signed certificates so much?
Passing userdata file to AWS Cloudformation stack
AWS Lambda function write to DynamoDB
AWS API Gateway with Step Function
How can we fetch IAM users, their groups and policies?
AWS RDS status while creating the RDS via CLI
You do not have the required role to enable Auto Scaling
Google Cloud Platform API for Python and AWS Lambda Incompatibility: Cannot import name 'cygrpc'
AWS Elasticsearch Kibana with Cognito - Missing role
Error publishing ASP.NET Core Web API to AWS Serverless Lambda: 'AWSLambdaFullAccess' at 'policyArn' ... Member must have length greater than
How To Backup AWS Elasticache Redis Data?
Location to put credentials file for AWS PHP SDK
Amazon Elastic Beanstalk : how to set the wsgi path?
Issue using an IAM role with PHP SDK
Send an array as a parameter in a Alamofire POST request
Unable to open (Local DynamoDB) database file after power outage

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!