Menu
At the documentations there's an App Client Secret, but I can't find anywhere its purpose.
I see the javascript SDK doesn't use it, I also don't know why, probably because many javascript applications run on the users browser, not a place to expose a secret, but that's my wild guess.
If this is something like a password for the App Client ID, I can't see how this improves security, since however can steal your App Client ID will be able to steal the App Client Secret as well. Besides, the App Client ID is fairly random and should provide enough security to brute-force attacks.
I would like to know what's the purpose of this secret, how cognito uses it and what functionalities does it provides.
899
Choose Generate client secret to have Amazon Cognito generate a client secret for you. Client secrets are typically associated with confidential clients. Choose whether you will Enable token revocation for this app client. This will increase the size of tokens that Amazon Cognito issues.
The User Pool Client ID is available from the Amazon Cognito User Pools console in the App Clients section. You should create an App Client if it doesn't already exist. Make sure to uncheck the "Generate client secret" box.
They are not secret. In fact, the ID token contains the iss claim (property), which is the User Pool ID, and the aud claim, which is the App Client ID.
An application client is a stand-alone application that runs on the client machine and is configured to work as a J2EE component. The application client is used to perform tasks, such as system or application administration.
Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be). However, if you use AWS CLI or boto3, you can use client secret. In this case, if your app client has a secret, you are supposed to calculate a hash using this secret and some other parameters (username + clientid I think) and pass it as a parameter.
Indeed, using app secret in public apps running on browsers makes no sense. In general, when developing a public app, client secret is not used. If you do, you are responsible for securely storing it. Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be).
Go to the Amazon Cognito console. If prompted, enter your AWS credentials. Choose User Pools. Choose an existing user pool from the list, or create a user pool. Choose the App integration tab. Locate App clients and select Create an app client. Choose Add app client. Choose Add an app client. Enter an App client name.
A client secret is a fixed string that your app must use in all API requests to the app client. Your app client must have a client secret to perform client_credentials grants. You can't change secrets after you create an app. You can create a new app with a new secret if you want to rotate the secret.
Yes, you are right. It is something like a password. As for why it is used, this is not a Cognito specific property but a part of the OAuth2 standard. Indeed, using app secret in public apps running on browsers makes no sense. In general, when developing a public app, client secret is not used. If you do, you are responsible for securely storing it.
Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be). However, if you use AWS CLI or boto3, you can use client secret. In this case, if your app client has a secret, you are supposed to calculate a hash using this secret and some other parameters (username + clientid I think) and pass it as a parameter.
But in terms of security, it does not really make a difference.
131
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
