Send client_secret to user upon signup via Cognito UI for AWS Cognito ClientCredentials Flow

Question

Due to my machine to machine OAuth2 needs (a vendor's API will be calling my APIs), I have started looking into client_credentials flow on AWS Cognito. However there are somethings that I could not make clear to myself or found the answer yet.

I would like to prevent manually creating user/app client and sharing client_secret securely is a concern.

1. Is it possible to generate a client_secret and send it (hopefully encrypted) to a signed-up user's email address after they SignUp using the Cognito UI?

• User signs up via UI
• User receives verification email to verify their identity
• Upon verification, client_secret is generated and emailed to verified email account (even better if encrypted in a way)
• User makes Cognito /token request to receive an access token to use in API calls.

2. Is there a way to rotate client_secret using AWS Cognito? Or Is there another AWS service that I can hook up to Cognito for client_secret rotation?

Any other ideas or suggestions are also welcome.

Thank you all in advance,

Answer 1

I think you have some misunderstanding about how cognito handles app clients. You seem to have mixed up client flow with user flow. In case of client flow there will be no signup.

This flow submits the request using Back-End programming language (e.g. Python, JAVA, Nodejs, PHP), that is why having a Client secret key submitted along the request makes sense since the flow has nothing to do with the end user and it does not access the USERINFO in the User Pool.

Source: https://www.yippeecode.com/topics/aws-cognito-oauth-2-0-client-credentials-flow/

You cannot change the client secret. If you must have a rotation in place, you can write a lambda to delete old client and create a new one with fresh id and secret.