Is it safe to create Cognito app clients for third parties?

Question

We are creating an API for third party customers to download data. We need to secure the API so that unauthenticated people cannot access it. We want to use AWS Cognito for this authentication.

Because customers are going to call the API programmatically (e.g., through their own server-side applications), we want to use the client credentials OAuth 2.0 flow. We could then use Cognito's app clients to handle authentication. We would programmatically create an app client for each customer. When a customer wants to get an access token for the API, they would send their client ID and client secret to Cognito's token endpoint (/oauth2/token). Cognito would then send them an access token.

To create the resources in Cognito for this flow, we would do something like this:

# Create the user pool...
aws cognito-idp create-user-pool \
  --pool-name test-api

# Create the scopes for the resource server...
aws cognito-idp create-resource-server \
  --name pizza \
  --identifier pizza \
  --user-pool-id pool-id-here \
  --scopes ScopeName=get,ScopeDescription=get_pizza ScopeName=post,ScopeDescription=post_pizza

# Create clients...
aws cognito-idp create-user-pool-client \
  --user-pool-id pool-id-here \
  --allowed-o-auth-flows client_credentials \
  --client-name pizza_client \
  --generate-secret \
  --allowed-o-auth-scopes pizza/post \
  --allowed-o-auth-flows-user-pool-client \
  --prevent-user-existence-errors ENABLED

aws cognito-idp create-user-pool-client \
  --user-pool-id pool-id-here \
  --allowed-o-auth-flows client_credentials \
  --client-name deep_dish_client \
  --generate-secret \
  --allowed-o-auth-scopes pizza/post \
  --allowed-o-auth-flows-user-pool-client \
  --prevent-user-existence-errors ENABLED

# Create the token endpoint...
aws cognito-idp create-user-pool-domain \
  --domain domain-name-here \
  --user-pool-id pool-id-here

(This sample is using the AWS CLI. In reality, we would use the SDK.)

However, it is not possible to disable an app client's read/write access to user attributes in Cognito (AWS Cognito User Pool - read-only client).

If we do not have any users in the user pool (only app clients), will this be a problem? Or will creating app clients for third parties let them have unrestricted access to resources in our Cognito user pool.