What is a Cognito App Client Secret

Michel Feinstein picture Michel Feinstein · Dec 21, 2017 · Viewed 13.1k times · Source

At the documentations there's an App Client Secret, but I can't find anywhere its purpose.

I see the javascript SDK doesn't use it, I also don't know why, probably because many javascript applications run on the users browser, not a place to expose a secret, but that's my wild guess.

If this is something like a password for the App Client ID, I can't see how this improves security, since however can steal your App Client ID will be able to steal the App Client Secret as well. Besides, the App Client ID is fairly random and should provide enough security to brute-force attacks.

I would like to know what's the purpose of this secret, how cognito uses it and what functionalities does it provides.

Answer

agent420 picture agent420 · Dec 22, 2017

Yes, you are right. It is something like a password. As for why it is used, this is not a Cognito specific property but a part of the OAuth2 standard. Indeed, using app secret in public apps running on browsers makes no sense. In general, when developing a public app, client secret is not used. If you do, you are responsible for securely storing it.

Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be). However, if you use AWS CLI or boto3, you can use client secret. In this case, if your app client has a secret, you are supposed to calculate a hash using this secret and some other parameters (username + clientid I think) and pass it as a parameter.

But in terms of security, it does not really make a difference.