What is a Cognito App Client Secret

aws-cognito
23,123

Solution 1

Yes, you are right. It is something like a password. As for why it is used, this is not a Cognito specific property but a part of the OAuth2 standard. Indeed, using app secret in public apps running on browsers makes no sense. In general, when developing a public app, client secret is not used. If you do, you are responsible for securely storing it.

Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be). However, if you use AWS CLI or boto3, you can use client secret. In this case, if your app client has a secret, you are supposed to calculate a hash using this secret and some other parameters (username + clientid I think) and pass it as a parameter.

But in terms of security, it does not really make a difference.

Solution 2

App Client ID and App Client Secret are necessary when you're using machine to machine communication, in this kind of communication you don't have a user and password. There's a grant type for that: Client Credentials. To understand this a little bit better you can check https://auth0.com/docs/api-auth/which-oauth-flow-to-use

Share:
23,123
Michel Feinstein
Author by

Michel Feinstein

8+ years of experience as a Software Engineer, 3 years building Flutter Applications, 6 years building Android Applications. Worked with many different technologies, such as Mobile Apps, Serverless Applications, Micro-Services, Desktop Apps, Robotics, Embedded Systems, IoT, and others. Managed projects from start to finish, with clients in Brazil, Canada, and Israel. Advanced experience with Dart, Java, C#, C, C++, and SQL, moderate experience with Javascript. If you want to see some of my work, here are some public projects I have done or contributed to. Feel free to contact me over LinkedIn.

Updated on July 09, 2022

Comments

  • Michel Feinstein
    Michel Feinstein almost 2 years

    At the documentations there's an App Client Secret, but I can't find anywhere its purpose.

    I see the javascript SDK doesn't use it, I also don't know why, probably because many javascript applications run on the users browser, not a place to expose a secret, but that's my wild guess.

    If this is something like a password for the App Client ID, I can't see how this improves security, since however can steal your App Client ID will be able to steal the App Client Secret as well. Besides, the App Client ID is fairly random and should provide enough security to brute-force attacks.

    I would like to know what's the purpose of this secret, how cognito uses it and what functionalities does it provides.

  • Michel Feinstein
    Michel Feinstein over 6 years
    Good to know it wasn't just something that didn't make sense to me. But still, I can't see why to prohibit to use the app secret in public apps. It surely won't provide any added security, but also, if the secret is leaked, it won't be any security hole also, with no side effects, as far as I can see at least.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AWS Cognito + google signup
Authentication with Cognito - where to find logs
How to use AWS Cognito as Single-sign-on?
AWS Cognito: Methods to Get a List of users?
AWS Cognito Authentication USER_PASSWORD_AUTH flow not enabled for this client
AWS Amplify: Forgot password function with custom UI
How to modify expiry time of the access and identity tokens for AWS Cognito User Pools
Implementing AWS-Cognito in Angular 2
How do I reset a Cognito user's password that has expired?
AWS Cognito/Amplify - have new user sign ups be automatically add to a user group