From AWS documentation (Specifying User Pool App Settings):
It is the developer's responsibility to secure any app client IDs or secrets so that only authorized client apps can call these unauthenticated APIs.
So is there any schema to do the authentication under secure conditions (not exposing the client ID on a static web page).
AWS samples put the client ID in clear so it is not meeting the doc recommendation. Also, any attacker can perform brute force attacks against Cognito unauthorized API with the static web client ID. Is there any way to avoid this?
These information are not sensitive, but if used together they could allow a client to create users into your cognito user poll, hence, have access to your application.
Then, click Create app client. Cognito will create a Client Id and a Client Secret, which you can access after setup is complete.
However, a Cognito user pool is its own IdP. If an identity pool is configured correctly, it can use the app's user pools as an IdP. This way, users authenticate via user pools and are assigned IAM roles via identity pools.
Under Security Profile Management, click the Web Settings tab. You can find the Client ID and Client Secret on this page.
Their recommendation applies when you use both the App Client ID and the Secret (typically in mobile development).
When you create an app, you can optionally choose to create a secret for that app. If a secret is created for the app, the secret must be provided to use the app. Browser-based applications written in JavaScript may not need an app with a secret.
When you are using Cognito on the web, you don't need to generate the Secret (uncheck the box when creating the application in your User Pool). This indeed leaves the App Client Id in clear text on the client, but there's no extra risk to this scenario than it is to having the login page exposed to the open internet: an attacker could attempt to brute force your login, regardless.
What I'm sure Amazon does in this case (which is what people should do in the case of a custom login implementation anyways) is to defend against throttled requests, blacklisting IPs etc., which essentially slows down attackers to the point where it's infeasible or not worth it to perform brute force attacks.
In short, you need not worry about leaving the App Client Id embedded in your web frontend code.
Hope this helps!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With