- Newest
- Most votes
- Most comments
The hosted UI provided by Cognito is designed to handle authentication flows securely according to OAuth2 standards. While it may seem like overkill for a game app, using the hosted UI ensures your authentication meets best practices. Some key benefits are using authorized scopes, supporting SSO across clients, and advanced security features.
When calling API Gateway endpoints, it's generally recommended to use the access token instead of the ID token, as the access token does not contain PII. The ID token is accepted by default for backwards compatibility, but you can configure API Gateway to only accept the access token for increased security.
To add custom scopes to your access tokens without the hosted UI, you would need to implement the OAuth2 flows yourself to ensure they are done securely. The hosted UI handles this for you according to standards.
Cognito supports unauthenticated users by allowing temporary credentials without forcing a login. You could leverage this to avoid additional login screens in your app while still protecting API access.
-
Why You Need a Hosted UI for Custom OAuth2 Scopes:
- AWS uses a Hosted UI to make it easier and more secure for developers to use OAuth2 features, like custom scopes. Even if you have your own login UI in your game, AWS requires using these OAuth2 features through their Hosted UI to ensure security standards are met. You can still use your game's UI, but behind the scenes, you'll need to interact with AWS's system for the secure parts.
-
Why API Gateway Accepts ID Tokens by Default:
- API Gateway allows using ID Tokens for simplicity and flexibility. While it's easier to start with, using ID Tokens isn't the best for security because they contain personal information. The better practice is to use Access Tokens, which are meant for accessing APIs without including personal details.
Simplified Recommendations:
-
For Your Game: You can keep your custom login UI. To use advanced security features, you'll interact with AWS's system in the background. This way, you keep your game's look and feel while still being secure.
-
Use Access Tokens for APIs: When your game talks to your servers (APIs), use Access Tokens. They're safer because they don't carry personal info and limit what each token can do.
-
Keep Your Game Secure: Make sure only authorized users can access your game's servers. Use all the security tools AWS offers, like API keys and strict checks, to keep things tight.
Thanks! However this doesn't exactly answer my questions and looks like you pasted my question into chatGPT.
Greetings, To secure your API Gateway with a Cognito user pool without using the Hosted UI for a mobile game, you can:
a)Implement Authentication in Your App: Use AWS Amplify or the AWS SDK for Cognito to handle user authentication within your game's custom UI. This allows you to manage user sessions and obtain tokens directly.
b)Use Tokens for API Requests: Once authenticated, use the accessToken (recommended for API access) or idToken (contains user identity information, use judiciously) to make authenticated requests to your API Gateway endpoints.
c) Directly Interact with Cognito's OAuth2 Endpoints: If you need custom scopes, directly call Cognito’s OAuth2 endpoints (/oauth2/token and /oauth2/authorize) from your app, managing the user credentials and tokens within your game without needing the hosted UI.
Relevant content
- asked 6 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
Thank you!
When you say "implement the OAuth2 flows yourself", do I do that with "ALLOW_CUSTOM_AUTH" on the user group?