52

At the documentations there's an App Client Secret, but I can't find anywhere its purpose.

I see the javascript SDK doesn't use it, I also don't know why, probably because many javascript applications run on the users browser, not a place to expose a secret, but that's my wild guess.

If this is something like a password for the App Client ID, I can't see how this improves security, since however can steal your App Client ID will be able to steal the App Client Secret as well. Besides, the App Client ID is fairly random and should provide enough security to brute-force attacks.

I would like to know what's the purpose of this secret, how cognito uses it and what functionalities does it provides.

Michel Feinstein
  • 13,416
  • 16
  • 91
  • 173
  • This is basically a password your app uses to authenticate with their API. – Havenard Dec 21 '17 at 00:06
  • 1
    I thought so.... But isn't is a bit redundant? The user pool id is fairly random, if someone can extract the user pool id from your app, they also will be able to extract the app secret, so, what's the advantage? Just to make it look more secure? – Michel Feinstein Dec 21 '17 at 00:09
  • 1
    Not sure, i'm not familiar with aws-cognito, but perhaps the ID is exposed to the user at some point while the secret isn't. – Havenard Dec 21 '17 at 00:10
  • (to clarify, I meant the Client App ID, not the User Pool ID) – Michel Feinstein Dec 21 '17 at 00:27

2 Answers2

38

Yes, you are right. It is something like a password. As for why it is used, this is not a Cognito specific property but a part of the OAuth2 standard. Indeed, using app secret in public apps running on browsers makes no sense. In general, when developing a public app, client secret is not used. If you do, you are responsible for securely storing it.

Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be). However, if you use AWS CLI or boto3, you can use client secret. In this case, if your app client has a secret, you are supposed to calculate a hash using this secret and some other parameters (username + clientid I think) and pass it as a parameter.

But in terms of security, it does not really make a difference.

agent420
  • 3,291
  • 20
  • 27
  • Good to know it wasn't just something that didn't make sense to me. But still, I can't see why to prohibit to use the app secret in public apps. It surely won't provide any added security, but also, if the secret is leaked, it won't be any security hole also, with no side effects, as far as I can see at least. – Michel Feinstein Dec 22 '17 at 18:59
26

App Client ID and App Client Secret are necessary when you're using machine to machine communication, in this kind of communication you don't have a user and password. There's a grant type for that: Client Credentials. To understand this a little bit better you can check https://auth0.com/docs/api-auth/which-oauth-flow-to-use

Xavier Ramírez
  • 307
  • 3
  • 3