I have an existing Cognito infrastructure where I have an app client for my website allowing login using the hosted UI, post-login I am using the provided access tokens to authenticate with my API Gateway using the Cognito User Pool authorizer.
I'd like to add a functionality of personal access tokens (similar to access id / secret for AWS, GitHub access tokens etc.) to allow users of my website to generate such tokens to be used in a CLI client I have, I'd like them to use the same API Gateway using the existing Cognito User Pool Authorizer.
I have though of several solutions I'd like to get some opinion on, or perhaps get a better one. They don't have to be OAuth tokens, they just need to identity the user in some form, I also would like to avoid dealing with expiration as much as possible as replacing those tokens on the CLI clients is a bit cumbersome.
-
Not use Cognito, generate the personal access tokens myself and handle the authentication myself, the major downside of this is, I can't use the existing Cognito User Pool authorizer and would have to replace that with a custom authorizer that would authenticate both Cognito tokens and my newly minted tokens.
-
Generate an app client per such user, generate an access + refresh token for them and provide them with both of them to be used in the CLI client, handling refreshing it myself, downside of this is the limit of Cognito on app clients as I already have a large number of users which might reach the 10K limit soon, I'd like to avoid splitting this to multiple user pools since the Cognito User Pool authorizer uses only 1 userpool
-
Generate an app client per user, provide them with the client_id / client_secret and use the CLI to authenticate and generate tokens whenever I need to, downside is the aforementioned limit
4 . Generate one app client to be for all CLI clients and generate Cognito users per user (even multiple for each user if a user wishes to generate multiple tokens for several CLI clients on several machines), when a user wishes to get a token for their CLI client, I'll generate the access token + refresh token on their behalf and provide them with the token, not sure what the downside of this as I'm not aware of any limit of number of users per UserPool
- Use custom authentication flow for Cognito, provide my users with some custom short token to authenticate with and handle the exchange of that token with a valid Cognito token using the Lambda Triggers, downside of this is the infrastructure involved, upside is a much shorter token to be used by users and I can avoid dealing with token expiration.
I also would have to deal with revocation obviously but I think all of these cases offer some form of that.
I care very little about the security of those tokens (hence some of my proposed solutions) as they offer CLI users only means invoke some read-only validation method on my API which does not expose any personal information, if some token is stolen, all a user can do is call that API on their behalf which exposes the original user to no risk
AWS OFFICIALUpdated a year ago
