Highest Voted 'aws-cognito' Questions - IT Security Stack Exchange

5

votes

2 answers

What is the use case of request signing in this mobile app?

The API of a mobile app I was testing is sending the AWS AccessKeyId and SecretKey used for request signing from the AWS Cognito server unencrypted (apart from the regular TLS encryption). Making it possible to re-sign all requests to their AWS…

asked Feb 11 '20 at 02:54

Martin Fürholz

795
9
21

2

votes

1 answer

Why is ID token used instead of Access token to get temporary credentials in AWS?

After a user logons to cognito, he receives access and ID tokens. the ID token contains sensitive info like phone number, email, etc.. From all standards - ID token should not be used to gain access to an API:…

aws token aws-cognito

asked Jul 01 '20 at 08:28

ArielB

189
6

2

votes

0 answers

Does my app need authentication in addition to Spotify authorization?

I have an app that revolves entirely around Spotify. I have followed the authorization guide from Spotify and am using the Authorization Code Flow so the access token can be refreshed. My thinking was that this will prevent them from having to log…

authentication authorization oauth2 federation aws-cognito

asked Apr 18 '20 at 23:21

Scott Garland

21
2

2

votes

0 answers

Is it correct to use AWS Cognito groups as user roles?

I trying to implement authN/authZ for my application using Spring Security 5.2.2 and OAuth2/openid connect protocols. I use AWS Cognito as an identity provider and I'm trying to implement role-based authorization for my application. I've created…

oauth2 openid-connect spring-framework aws-cognito

asked Apr 16 '20 at 11:15

Kirill

121
2

1

vote

0 answers

Using AWS Cognito or Firebase Auth can help to certify my app with ISO 27001?

My colleague told me that ISO 27001 require physical server running in the office to store user password. Therefore, using AWS Cognito or Firebase Auth can save us the physical server since they have ISO 27001. Is my colleague correct? If not, does…

iso27001 aws-cognito

asked Mar 07 '21 at 16:27

ykn121

111
2

1

vote

1 answer

Why doesn't Keycloak allow user sign-up and sign-in through a client?

I'm in need of an authentication & authorization service that can manage our app's pool of users. I stumbled upon Keycloak and have been checking it for the past few days, but I'm wondering why Keycloak doesn't provide an API for a client to…

oauth sso aws-cognito

asked Sep 14 '20 at 03:00

aIKid

113
4

Questions tagged [aws-cognito]

What is the use case of request signing in this mobile app?

Why is ID token used instead of Access token to get temporary credentials in AWS?

Does my app need authentication in addition to Spotify authorization?

Is it correct to use AWS Cognito groups as user roles?

Using AWS Cognito or Firebase Auth can help to certify my app with ISO 27001?

Why doesn't Keycloak allow user sign-up and sign-in through a client?