By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Cognito support for Managed Login using PKCE flow

0

I have been trying to use the PKCE flow with cognito managed login and it does not seem to work. The code_challenge is provided in the oauth2/authorize (&code_challenge=Eh0mg-OZv7BAyo-tdv_vYamx1boOYDulDklyXoMDtLg&code_challenge_method=S256) then after successful login and redirect to retrieve the tokens, we are able to retrieve the tokens using a post to /oauth2/token without providing a code_verifier.

If we switch to hosted ui (classic) then the flow works as expected and a code_verifier is required and will not provide tokens.

Does Managed login support the PKCE flow.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
sparkytron
asked a month ago49 views
1 Answer
0

Yes, Amazon Cognito's Managed Login does support the PKCE (Proof Key for Code Exchange) flow, which is recommended for single-page applications (SPAs) and mobile apps. However, your experience suggests there might be an issue with the implementation or configuration.

In a proper PKCE flow with Managed Login, you should include the code_challenge in the authorization request to the /oauth2/authorize endpoint, as you've done. After successful authentication and receiving the authorization code, you should then include the original code_verifier in your token request to the /oauth2/token endpoint.

The fact that you're able to retrieve tokens without providing the code_verifier in the token request is unexpected behavior for a PKCE flow. This could indicate a potential security risk, as the purpose of PKCE is to prevent the interception and unauthorized use of authorization codes.

Given that the flow works as expected with the classic hosted UI, there are a few possibilities to consider:

  1. There might be a configuration issue specific to your Managed Login setup.
  2. There could be a bug in the Managed Login implementation of PKCE.
  3. Your app client settings might not be correctly configured to enforce PKCE.

To troubleshoot this issue:

  1. Double-check your app client settings in the Amazon Cognito console to ensure PKCE is properly enabled.
  2. Verify that you're including all necessary parameters in both the authorize and token requests.
  3. Try generating a new code verifier and challenge to ensure they're correctly formed.
  4. If the issue persists, it would be advisable to contact AWS support, as this behavior is not in line with the expected PKCE flow implementation.

Remember, PKCE is an important security measure for public clients like SPAs and mobile apps, so it's crucial to ensure it's working correctly in your implementation.
Sources
Using PKCE in authorization code grants - Amazon Cognito
The redirect and authorization endpoint - Amazon Cognito
Choose an Amazon Cognito authentication flow for enterprise applications - AWS Prescriptive Guidance

profile picture
re:Post Agent
answered a month ago
  • sparkytron
    a month ago

    I don't see any settings in app client to enable PKCE.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content