Cognito - Is it possible to get User Details with custom attributes masked in access token?

0

I would like to create a login mechanism for my webpage using Cognito. I was trying to login using Cognito-ui. I have observed that User details are now returned in User Attributes unmasked. But is there a way to get the User details along with custom attributes from the User pool, encrypted in the access token on successful login. Happy to share more information if required. Thanks in advance.

Gopika
질문됨 9달 전230회 조회
1개 답변
0

Cognito has a pre-token generation lambda trigger where customers can suppress (remove) attributes or modify certain attributes as needed in the ID token. If customers are concerned about sharing certain attributes in the token, they can suppress them.

A more advanced pattern is to use a proxy to Cognito endpoint and completely hide the tokens or return them in encrypted cookies, this pattern doesn't work with Cognito-ui, it requires custom UI and integration with Cognito using the APIs instead of hosted UI. But remember that proxy code runs inside a lambda function, so you will need to write the code to encrypt or change the token in anyway, there is no AWS service that will do this automatically. If you are looking for APIs or SDK to encrypt tokens, you can use AWS Encryption SDK.

But in general the security best practices recommend to avoid adding sensitive information in the tokens. If you are concerned about data leak, then suppressing attributes in token is not enough since anyone with valid access token can call Cognito and get the user attributes again and again, but if the intention is to isolate the client from data then probably suppressing and hiding the token completely from the client is the mitigation.

profile pictureAWS
답변함 7달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인