- Newest
- Most votes
- Most comments
Cognito has a pre-token generation lambda trigger where customers can suppress (remove) attributes or modify certain attributes as needed in the ID token. If customers are concerned about sharing certain attributes in the token, they can suppress them.
A more advanced pattern is to use a proxy to Cognito endpoint and completely hide the tokens or return them in encrypted cookies, this pattern doesn't work with Cognito-ui, it requires custom UI and integration with Cognito using the APIs instead of hosted UI. But remember that proxy code runs inside a lambda function, so you will need to write the code to encrypt or change the token in anyway, there is no AWS service that will do this automatically. If you are looking for APIs or SDK to encrypt tokens, you can use AWS Encryption SDK.
But in general the security best practices recommend to avoid adding sensitive information in the tokens. If you are concerned about data leak, then suppressing attributes in token is not enough since anyone with valid access token can call Cognito and get the user attributes again and again, but if the intention is to isolate the client from data then probably suppressing and hiding the token completely from the client is the mitigation.
Relevant content
- Accepted Answerasked 9 months ago
- asked 2 years ago
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago