问题
At the documentations there's an App Client Secret, but I can't find anywhere its purpose.
I see the javascript SDK doesn't use it, I also don't know why, probably because many javascript applications run on the users browser, not a place to expose a secret, but that's my wild guess.
If this is something like a password for the App Client ID, I can't see how this improves security, since however can steal your App Client ID will be able to steal the App Client Secret as well. Besides, the App Client ID is fairly random and should provide enough security to brute-force attacks.
I would like to know what's the purpose of this secret, how cognito uses it and what functionalities does it provides.
回答1:
Yes, you are right. It is something like a password. As for why it is used, this is not a Cognito specific property but a part of the OAuth2 standard. Indeed, using app secret in public apps running on browsers makes no sense. In general, when developing a public app, client secret is not used. If you do, you are responsible for securely storing it.
Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be). However, if you use AWS CLI or boto3, you can use client secret. In this case, if your app client has a secret, you are supposed to calculate a hash using this secret and some other parameters (username + clientid I think) and pass it as a parameter.
But in terms of security, it does not really make a difference.
回答2:
App Client ID and App Client Secret are necessary when you're using machine to machine communication, in this kind of communication you don't have a user and password. There's a grant type for that: Client Credentials. To understand this a little bit better you can check https://auth0.com/docs/api-auth/which-oauth-flow-to-use
来源:https://stackoverflow.com/questions/47916034/what-is-a-cognito-app-client-secret