Amazon Cognito Oauth2 Native App : Best practice

问题

I am developing backend API's for a native app. This backend service(developed using java/springboot) is deployed on AWS. For Securing the backend API's I am planning to use Oauth2 (Authorization Code grant Flow with PKCE).

I am trying to achieve this through Amazon API Gateway and Cognito User Pool. This is what I have done so far.

1. I have created Cognito user pool
2. Add an app client(app client id/secret)
3. Configured Domain and Resource Server
4. Configured App Client Settings with Authorization code grant as the OAuth flow
5. Created a user with default password and also changed password.
6. I have setup Amazon API(with resource mapping to my backend) with this cognito user pool as Authorizer.

With these setup my workflow is like this

A. Call /oauth2/authorize endpoint of my domain with response_type as code and also pass all necessary information like client id, callbackurl, code_challenge_method, code_challenge etc. This redirects to /login page. I login with the username/password created in step 5 above. This will return me a code.
B. Call /oauth2/token with the code returned from previous step and all the other necessary details including code_verifier. This will return me access_token(refresh_token, id_token)
C. Use this token to call the Amazon API Gateway endpoint.

All this is working fine. But I have a couple of questions.

1. Do I create an app client (step 2 above) Every time a user downloads the app from playstore. Is app client related to per user or per app?
2. Do I need to create a new user(step 5 above) everytime a user downloads the app and want to use it? I have my own customer registration/login process in my app/backend implemented. I do not want Amazon to handle this. But I need atleast one user in cognito user pool to get the code(Step A). Not sure how this should be handled.
3. Currently I am using dummy callback url. As this is a mandatory field. How can I handle this in my native app?

回答1:

1. You need to create 2 app clients (with a secret for backend application) and without secret for the native app. secret for a server application to call Cognito API in some cases. => **Not every time, only 2 app clients **. AWS has a limitation. Ref:https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html

2. The best practice is users create an account by themself. Then log in and get credentials from the backend. Depend on the credential, you will enable or disable functions in the native app.

3. As the AWS document, you can set callback URI as myapp://. But I still use dummy callback. I get Token from HTTP headers (which return from Cognito)

回答2:

To add to TuanVA's very good points:

2. Users need to be saved to Cognito as well as your back end. My write up may help you to understand options, which can vary depending on where the security ownership lies.

3. The most standard option is to use a private uri scheme based callback such as com.mycompany.myapp:/callback

If it helps I have an Android sample app you can quickly run against Cognito.

My sample is pretty detailed though, and deals with integrating AppAuth libraries, so may be more complicated than you need.

来源：https://stackoverflow.com/questions/59733220/amazon-cognito-oauth2-native-app-best-practice