Reputation: 4487
AWS Cognito hosted UI returning id_token in URL
I am using AWS Cognito's hosted UI for user login. The id token is returned as part of the URL as described in https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html. Namely,
You can find the JSON web token (JWT) identity token after the #idtoken= parameter in the response. Here's a sample response from an implicit grant request. https://www.example.com/#id_token=123456789tokens123456789&expires_in=3600&token_type=Bearer
However, putting sensitive data in a query string is considered a bad practice (Is an HTTPS query string secure?). Does AWS Cognito support a more secure way of returning the id token?
Upvotes: 4
Views: 3591
Answers (1)
Reputation: 4480
Instead of token you can ask cognito to send you the Authorization code. From Documentation:
The authorization code grant is the preferred method for authorizing end users. Instead of directly providing user pool tokens to an end user upon authentication, an authorization code is provided. This code is then sent to a custom application that can exchange it for the desired tokens. Because the tokens are never exposed directly to an end user, they are less likely to become compromised.
Source: https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
Upvotes: 5
Related Questions
- invalid_request error on AWS Cognito Custom UI Page
- AWS Cognito Hosted UI - can it be configured to use the custom url?
- How to get Cognito Identity Id in backend that is requested by AWS API Gateway?
- OAuth Cognito ID token unauthorized
- AWS Cognito getId "Invalid login token. Issuer doesn't match providerName"
- How to extract id_token from AWS Cognito redirect_url
- AWS Cognito built-in UI error posting credentials when using response_type=code
- Optional identifiers in cognito hosted UI do not work
- AWS Cognito Rest API to get the token
- How to pass cognito identity id to backend