3

We are setting up SaaS server-to-server auth solution using AWS Cognito + API Gateway using oAuth2 Client credentials flow.

And one thing is totally bugging me - I can access App client secret in plain text.

Since we would be sharing these credentials with actual clients, having secrets in pain text does not look like a good idea. Just like storing passwords in pain text. At max I would expect to be able to access these credentials only during client creation process.

I'm I missing something?

Example with visible secrets

Lukas LT
  • 31
  • 1
  • 2
  • Why would you be sharing your secrets with a third party? The secret is for your application to access the cognito API. At most, you would have a different secret for each client. It’s your responsibility to secure the secret. What do you mean you can see it in plaintext? https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html – Appleoddity May 22 '20 at 06:19
  • Let's say our use case is that we provide warehouse SaaS service, and 100+ clients are calling our REST'ful API's to get the latest products. My expectation (or hope) was that entire OAuth flow could be managed by Cognito, so we don't have to deal with any security related questions. > What do you mean you can see it in plaintext? https://i.stack.imgur.com/bYslA.png – Lukas LT May 22 '20 at 06:53
  • Does it mean we have to build our own auth layer on top of Cognito? – Lukas LT May 22 '20 at 06:55
  • I think you’re misunderstanding how cognito works. The app ID is for YOUR app to perform authentication and authorization related tasks. The customer authentication takes a different workflow. https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html. Yes, basically your web or mobile app builds in authentication using the cognito API. Customers don’t get secret keys. – Appleoddity May 22 '20 at 12:28

0 Answers0