Skip to main content
Information Security

Questions tagged [cognito]

Ask Question

The tag has no usage guidance.

9 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
0 votes
1 answer
291 views

3rd Party API Key in cognito custom attribute JWT

I am developing an application where users need to provide an API key to a 3rd party service, our app (a serverless app on AWS with a dynamo db) then makes requests to that 3rd party service on behalf ...
Woody's user avatar
Woody
  • 103
1 vote
0 answers
129 views

OAuth2/Cognito: Let trusted server act on behalf of user

I'm building a public HTTP JSON API using API Gateway with ID token authentication. I now need a server that acts on behalf of users. Users message that server using a third party (think Signal or ...
Max's user avatar
Max
  • 11
3 votes
3 answers
1k views

Pros vs Cons of Secure Remote Password

We are setting up an authentication system using Cognito and Amplify. We noticed that Amplify suggests Secure Remote Password as the default. I can understand the benefits of SRP for protecting ...
cbp's user avatar
cbp
  • 131
4 votes
1 answer
5k views

Should JWT's be validated on every request?

I have been unable to find a definitive answer to the above question. We currently use JWTs from AWS Cognito for our Authentication. Currently the JWTs that are returned are too large to use in ...
StuartM's user avatar
StuartM
  • 153
1 vote
0 answers
535 views

AWS Appsync authorization - why is IAM authorization safer than API Key based approach

We are currently evaluating which authorization type to use for our production AppSync APIs. As per AWS docs(https://docs.aws.amazon.com/appsync/latest/devguide/security.html, https://aws.amazon.com/...
nikel's user avatar
nikel
  • 111
1 vote
2 answers
130 views

Serverless Apps Authenticate Users After Page Load - Flaw?

Server-based apps check for a session cookie before returning any content to the user. If an authentication cookie isn't sent from the user's browser, the only content delivered to the user is a ...
David_Springfield's user avatar
David_Springfield
  • 304
0 votes
1 answer
712 views

Is detecting if an email has an account considered a vulnerability with AWS cognito?

Am doing a pen test on a client system using AWS Cognito and userpools for authentication using the client side SDK provided by AWS. during the forget password flow, I noticed that Cognito request ...
jia chen's user avatar
jia chen
  • 149
2 votes
1 answer
1k views

Using Cognito access token to pass claims

I am working on migrating all our users from our DB to a managed service, and we're considering AWS Cognito. We want to use Cognito for Authentication and Access Control. For access control, we're ...
Tomer Amir's user avatar
Tomer Amir
  • 171
1 vote
1 answer
3k views

Is this the correct way to use AWS Cognito?

I am doing the following in my React/Node App: Using the User Pools for a Cognito App that I have created Calling the /login endpoint with response_type=token in my React App Once I receive the JWT ...
Amarsh's user avatar
Amarsh
  • 113