What is Cognito's App Client Secret purpose?

0

At the documentations there's an App Client Secret, but I can't find anywhere its purpose.

I see the javascript SDK doesn't use it, I also don't know why, probably because many javascript applications run on the users browser, not a place to expose a secret, but that's my wild guess.

If this is something like a password for the App Client ID, I can't see how this improves security, since however can steal your App Client ID will be able to steal the App Client Secret as well. Besides, the App Client ID is fairly random and should provide enough security to brute-force attacks.

I would like to know what's the purpose of this secret, how cognito uses it and what functionalities does it provides.

asked 6 years ago3894 views
3 Answers
1

The client secret is part of the oauth standard. You are correct in your assumptions.

https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

Quoting:

"If the developer is creating a “public” app (a mobile or single-page app), then you should not issue a client_secret to the app at all. This is the only way to ensure the developer won’t accidentally include it in their application. If it doesn’t exist, it can’t be leaked!"

Also:

"The client_secret is a secret known only to the application and the authorization server. It must be sufficiently random to not be guessable, which means you should avoid using common UUID libraries which often take into account the timestamp or MAC address of the server generating it. A great way to generate a secure secret is to use a cryptographically-secure library to generate a 256-bit value and converting it to a hexadecimal representation."

answered 6 years ago
0
Accepted Answer

Yes, I mean this is part of the standard and it totally depends on the ability to secure the client secret.

answered 6 years ago
0

Well, it makes sense then.... But I still don't understand the point or enforcing this, unless you just want to comply with the OATH2 standard, because as far as I can see, there's no downside in leaving a client secret in an open app. The app won't be less secure if the client secret leaks, it will be just the same.

answered 6 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions