javascript - Is it safe to expose the AWS Cognito Ids? - Stack Overflow

admin管理员组

文章数量:1290949

I'm using the client-side Cognito Javascript SDK. Part of the setup requires configuring region, UserPoolId, ClientId, and identityPoolId. During testing, I'm including the data via a separate file that users could look through and use to discover these Cognito ids.

Is it safe to expose these ids to the end user?

Otherwise, how do I do this safely?

I'm using the client-side Cognito Javascript SDK. Part of the setup requires configuring region, UserPoolId, ClientId, and identityPoolId. During testing, I'm including the data via a separate file that users could look through and use to discover these Cognito ids.

Is it safe to expose these ids to the end user?

Otherwise, how do I do this safely?

• javascript
• security
• amazon-web-services
• amazon-cognito

Share Improve this question Follow edited Sep 22, 2016 at 22:48 nu everest asked Sep 22, 2016 at 22:34 nu everestnu everest 10.3k1212 gold badges7474 silver badges9292 bronze badges 1

• No, It is not safe – Shiv Singh Commented Sep 26, 2016 at 6:50

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 9

There's a post by AWS on their forums that addresses this.

Please note that with userPoolId and clientId, only unauthenticated APIs can be called, for eg: SignUp, authenticate, forgotPassword etc. So userPoolId and clientId alone are not enough to do any malicious activity on your user pool.

Source is https://forums.aws.amazon./thread.jspa?threadID=245752&tstart=200

An alternative is to use API Gateway with the Cognito authorizer for handling calls to other back-end services (like DynamoDB or S3) instead of using those directly from the front-end js. That's described here:

https://aws.amazon./blogs/mobile/aws-mobile-app-backend-with-hybrid-apps/

If you are using authenticated identities (when you use Cognito User Pools, then it is authenticated identities), then even if the an attacker gets hold of identityId, they cannot get AWS credentials without providing the id token which can only be obtained by providing authentication credentials (username and password).

P.S: It is always advised to use authenticated identities and even if you have a use case for unauthenticated identities, it is better to keep the access to minimal in the role for unauthenticated identities.

I have a solution by invoke particular lambda function using IAM unauth credential. So the flow like this :

1. Create a cognito identity pool for unauthenticated provider
2. Associated that cognito identity pool to IAM Role Policy for unauthenticated amr
3. Give permission actions for that IAM Role to invoke lambda authentication function (login, signup, forgot, confirm, etc)

So here, the client apps only need get their unauthenticated credential identity to invoke the lambda authentication function. We store the clientID & userPoolID on the lambda, not on client apps

本文标签： javascriptIs it safe to expose the AWS Cognito IdsStack Overflow