Reputation: 76
Storing Non-AWS API Access Tokens in Cognito User Attributes
Currently, I have configured a desktop UWP C# application which users sign into and register using AWS Cognito Users and User Pools. The application also needs to communicate with another 3erd party API which uses a 1 time registration to return an OAuth2.0 access token and a refresh token. The access token expires ~20mins and then refresh token last the life of the request, typically forever until revoked by the user. I would like to store the refresh token so that it can be retrieved when the user signs in and is validated by Cognito. Is it okay to store this access token in the Cognito user attributes when they register or do I need to store it somewhere else? If I do need to store it elsewhere are there any AWS services which are typically used for this?
Upvotes: 1
Views: 126
Answers (1)
Reputation: 14799
There is indeed an AWS service for this specific purpose. Its called AWS Secrets Manager.
Benefits;
- Default encryption in storage and transit
- You can use IAM to manage access control. So you could lock access down to one or two senior developers
- You can use IAM for fine grain access control. This means you can lock the Secret down to a specific user and its secured at the storage level
- Very simple to integrate with using the SDKs
Upvotes: 1
Related Questions
- Custom attributes in Cognito Access Token
- Access token and ID token storage for serverless app
- Custom attribute not passed into ID_TOKEN created by AWS Cognito
- Include user details in AWS Cognito Oauth2 token
- Different access tokens for users using aws Cognito for authorisation
- Integrating AWS Cognito with API for authentication
- How to retrieve a Cognito user's unique identifier from a bearer token to save user related data in a web api backend
- How to generate access token for an AWS Cognito user?
- AWS Cognito single use access token
- How do I use a Cognito token with API?