Securing AWS Cognito User Pool and Client ID on a static web page

Question

From AWS documentation (Specifying User Pool App Settings):

It is the developer's responsibility to secure any app client IDs or secrets so that only authorized client apps can call these unauthenticated APIs.

So is there any schema to do the authentication under secure conditions (not exposing the client ID on a static web page).

AWS samples put the client ID in clear so it is not meeting the doc recommendation. Also, any attacker can perform brute force attacks against Cognito unauthorized API with the static web client ID. Is there any way to avoid this?

Answer 1

Their recommendation applies when you use both the App Client ID and the Secret (typically in mobile development).

When you create an app, you can optionally choose to create a secret for that app. If a secret is created for the app, the secret must be provided to use the app. Browser-based applications written in JavaScript may not need an app with a secret.

When you are using Cognito on the web, you don't need to generate the Secret (uncheck the box when creating the application in your User Pool). This indeed leaves the App Client Id in clear text on the client, but there's no extra risk to this scenario than it is to having the login page exposed to the open internet: an attacker could attempt to brute force your login, regardless.

What I'm sure Amazon does in this case (which is what people should do in the case of a custom login implementation anyways) is to defend against throttled requests, blacklisting IPs etc., which essentially slows down attackers to the point where it's infeasible or not worth it to perform brute force attacks.

In short, you need not worry about leaving the App Client Id embedded in your web frontend code.

Hope this helps!