Tokens exposed to users via cookies: security question #31
Comments
|
Hi @johfer, thanks for asking this interesting question. In terms of security, Cognito@Edge is comparable to the implicit grant flow since the user pool tokens are returned to the user as cookies. Internally, it makes a call to If you wanted to follow the authorization code grant flow, you would need to stop returning the tokens as cookies and expecting an ID token to be sent with each request. Instead, you would treat requests with the There is a tradeoff between latency and security. The implicit flow will be faster, unless your application can cache the response from the I hope that helps clear things up. I'll discuss this with the team to see if we want to support both flows in the future. Regards, |
|
Hi @jeandek , great, thanks for this insightful response, helps/confirms my understanding of the subject. Best wishes, Johannes |
Hi, if I understand https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ correctly, in the preferred (from a security perspective) "Authorization code grant" flow, the actual tokens (id, access, refresh) are never exposed to the user.
However, in _getRedirectResponse in cognito-at-edge, those tokens are set as cookies, ending up in the user's browser. Does this compromise the security of the flow (albeit slightly), i.e. does using cognito-at-edge implicitly change the "Authorization code grant" flow into something that's equivalent to the less-secure "Implicit grant" flow?
The text was updated successfully, but these errors were encountered: