AWS Cognito for M2M: Can We Use a User Pool Credentials Instead of Client Credentials?

Question

Here is my problem: I built a web app using Cognito to authenticate users with email + password. API Gateway validates the generated token, and the user can access the web app interface.

Now, I want to create an SDK for machine-to-machine (M2M) access, allowing the client machine to log in and request API endpoints. From what I understand, the correct way to do this is to create a Cognito domain and use "client credentials" (client_id + client_secret) to obtain a JWT and authenticate the machine (if I’m wrong, please let me know).

So my question is the following: I would like to know if it is discouraged to use "Cognito user pool" credentials (which are normally reserved for human users) to obtain a JWT that will authorize the client machine in API Gateway for M2M communication? And if so, why?

After all, both methods generate OAuth2 JWTs, which seem secure to me. In both cases, you must keep 1 secret (either as a password or a client_secret), so the risk of leaks is the same. And if I can treat the machine as a human user, it allows for more fine-grained management (for example, if I sell multiple M2M accesses to the same company), as each access can be tracked centrally more easily. But maybe I’m misunderstanding how Cognito and OAuth2 work. To be honest, this is not my area of expertise.

Answer 1

You could use PKCE to implement M2M authorization without using client secret.

Also note below:

1. use browser to complete user authorization
2. create a local server as redirect URL to request access token via PKCE