By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amplify store Cognito clientId in frontend

0

Hi, I am building a static React website hosting with cloudfront and S3, I found that the Cognito clientId and userPoolId are stored in the frontend javascript which can be viewed in browser view page source. I have backend API using API Gateway trusting the access token from Cognito. I am wondering if attacker take the clientId and userPoolId to their own website which look very similar to my website, they will be able to render the Authenticator(Login page), which user will be able to login. Then their malicious website will receive access token from Cognito and they can then call my backend API with the access token. API Gateway will accept the access token since the access token is a valid token from Cognito.

Is this a valid concern and how can I protect my application from this? Exposing the clientId and userPoolId in frontend and allowing other website to connect to my Cognito.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAWS AmplifyAmazon Cognito
Language
English
abc
asked 3 months ago168 views
1 Answer
0

Amazon Cognito's security model is not dependent on the secrecy of the client ID or the user pool ID. Given this, the AWS Amplify framework is not introducing a security issue by exposing those values. The secrets associated with specific users (e.g., passwords) must still be protected by your application code.

The broader concern you describe with respect to a malicious site masquerading as your own is valid, but would also apply to any public-facing website. Fortunately, AWS Cognito and the broader AWS ecosystem provide some features that could help you further secure your application against this:

  1. Multi-Factor Authentication - Limits the usefulness of any credentials by introducing dynamic login information
  2. User Pool Advanced Security - Can identify suspicious login activity and temporary block or require MFA sign-in
  3. Web Application Firewalls - Can set up rules for identifying potentially malicious login behavior and blocking it before reaching the AWS Cognito user pool

You might also find this blog post on controlling access to user pools useful in your research. Based on what I gather of your use case, I'm not positive it will directly address your question, but I hope it helps!

AWS
mwdehn
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content