Cognito - Authorization Code Grant without secret key

Question

I have a frontend app which I want to connect with a Cognito User Pool.

I am using openidconnect playground to test the authentication flow and this is my Cognito configuration:

I have not put a client secret because I don't think it is safe to have the client secret in the frontend URL.

This is the app client settings:

Using Authorization Code Grant due the rest needs a client secret.

So, this is the URL to do the login:

https://myuserpoolname.auth.eu-west-1.amazoncognito.com/oauth2/authorize?
client_id=YYYYYYYYY
&redirect_uri= https://openidconnect.net/callback
&scope=openid customscope/router customscope/modem
&response_type=code
&state=2282ed48ec2fc0eb0806a532f2eQQf02d0918949

After that, for the exchange to get the token I use this request:

POST https://myuserpoolname.auth.eu-west-1.amazoncognito.com/oauth2/token
grant_type=authorization_code
&client_id=YYYYYYYYY
&redirect_uri=https://openidconnect.net/callback
&code=bd105ab3-Z-X-Y-6109170d1e46

But if I don't share the client_secret as param it returns an error.

How can I do the authentication process without the client secret? Is that possible? If not, how can I manage the client secret to avoid to manage it in the frontend application?

Thanks.

Answer 1

When using auth code grant type on public clients, you should use PKCE.