Questions tagged [aws-cognito]

6 questions
5
votes
2 answers

What is the use case of request signing in this mobile app?

The API of a mobile app I was testing is sending the AWS AccessKeyId and SecretKey used for request signing from the AWS Cognito server unencrypted (apart from the regular TLS encryption). Making it possible to re-sign all requests to their AWS…
2
votes
1 answer

Why is ID token used instead of Access token to get temporary credentials in AWS?

After a user logons to cognito, he receives access and ID tokens. the ID token contains sensitive info like phone number, email, etc.. From all standards - ID token should not be used to gain access to an API:…
ArielB
  • 189
  • 6
2
votes
0 answers

Does my app need authentication in addition to Spotify authorization?

I have an app that revolves entirely around Spotify. I have followed the authorization guide from Spotify and am using the Authorization Code Flow so the access token can be refreshed. My thinking was that this will prevent them from having to log…
2
votes
0 answers

Is it correct to use AWS Cognito groups as user roles?

I trying to implement authN/authZ for my application using Spring Security 5.2.2 and OAuth2/openid connect protocols. I use AWS Cognito as an identity provider and I'm trying to implement role-based authorization for my application. I've created…
Kirill
  • 121
  • 2
1
vote
0 answers

Using AWS Cognito or Firebase Auth can help to certify my app with ISO 27001?

My colleague told me that ISO 27001 require physical server running in the office to store user password. Therefore, using AWS Cognito or Firebase Auth can save us the physical server since they have ISO 27001. Is my colleague correct? If not, does…
ykn121
  • 111
  • 2
1
vote
1 answer

Why doesn't Keycloak allow user sign-up and sign-in through a client?

I'm in need of an authentication & authorization service that can manage our app's pool of users. I stumbled upon Keycloak and have been checking it for the past few days, but I'm wondering why Keycloak doesn't provide an API for a client to…
aIKid
  • 113
  • 4