Fine-grained scope for self-service operations in AWS Cognito? - Stack Overflow

admin管理员组

文章数量:1123221

In AWS Cognito, when we get an access token via InitiateAuth or AdminInitiateAuth, its scope claim takes the fixed value aws.cognito.signin.user.admin, which allows a user to call any self-service APIs, including changing password, updating attributes, disabling MFA or even deleting the user (source).

I want a finer-grained control over the self-service APIs. For example, I want to permit the use of GetUser and ChangePassword while forbidding SetUserMfaPreference and DeleteUser.

According to How to restrict AWS Cognito users from taking certain actions?, we can combine Cognito user pool with Cognito identity pool to enable fine-grained controls. But will it really work? Reading the linked official tutorial in the OP, it seems the flow will work only when we want to permit otherwise forbidden operations such as reading DynamoDB because the flow assumes a user will always explicitly request IAM credentials; no attacker will request restrictive credentials when anyone who knows a client id of a user pool can call InitiateAuth to retrieve an access token with scope: aws.cognito.signin.user.admin (and client id can be extracted from aud claim of an id token).

One workaround I come up with is to completely wrap AWS Cognito with our own implementation. However, in that case, we have to completely conceal the fact we use Cognito under the hood for example because, as mentioned above, anyone who has a Cognito's raw id token can call InitiateAuth to retrieve an access token. And truly securely wrapping an auth service seems very difficult especially for smaller teams in the first place.

本文标签： Finegrained scope for selfservice operations in AWS CognitoStack Overflow