14

Does anyone know if the User Pool Id and Client Id are sensitive? Currently I have them sitting on the frontend and was just wondering if this is dangerous. If it is, how can they be exploited?

Sello Mkantjwa
  • 1,798
  • 1
  • 20
  • 36

3 Answers3

32

No, they are not. They are supposed to be public. The only way they can be exploited is that someone can use them to make a large amount of SignUp calls to your userpool. But as long as these registrations are not verified, these won't be converted into active users (unless you have enabled auto-verification of users). This is not an AWS specific issue. Fake registrations are a big headache and one will face this issue even if there is no SignUp api being used and a PHP backend is used for registration. The only way to face this is email/phone verification.

Of course, if you have disabled SignUp in your userpool i.e. only Admins can create users then this is not an issue at all.

Sello Mkantjwa
  • 1,798
  • 1
  • 20
  • 36
agent420
  • 3,291
  • 20
  • 27
  • 1
    Thanks @agent420. That does indeed seem to be the case. I must say though that this feels quite a bit leaky. For example, this means that anyone can just hijack your cognito account to and use it to sign up and authenticate their users in their app. :/ – Sello Mkantjwa Dec 18 '17 at 09:58
  • 3
    The docs also state: _It is your responsibility to secure any app client IDs or secrets so that only authorized client apps can call these unauthenticated APIs_ which is also confusing. http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html – Sello Mkantjwa Dec 18 '17 at 10:00
  • 1
    Yup, seems like it. I have heard of similar queries. But everyone is concerned about DDoS attacks & Fake registrations. Never thought about it but yes, these details can be used to enable authentication & signup in another app. But think about it - if you developed a service, would you leave the fate of your users in the hand of someone else bcoz the owner of userpool can delete it at any moment. And seeing how cheap cognito is, I don't think anyone would risk it. – agent420 Dec 18 '17 at 10:16
  • Besides, if you really wanted to hide clientids, you could use the built-in UI with App Integration feature. This way, the redirect_uri needs to be set in Userpool & other domains won't be able to use your userpool thriugh built-in UI – agent420 Dec 18 '17 at 10:18
  • Never though of using the built in UI. But that sounds like it might be a decent option. The example of someone using your service is really just to show how someone can very easily do something that they should definitely not be authorized to do. I agree that there might be little incentive to do so, but the principle applies. – Sello Mkantjwa Dec 18 '17 at 10:25
  • I dont think there's any harm in exposing these. Even AWS Amplify has aws-exports.js file stored n client side which has all these values including your dyanmodb table name, api paths, s3 bucket name, etc – Yusuf Aug 18 '21 at 20:18
5

ID token and Access token generated by Cognito contain both User pool ID and Client ID, there is no way these values were designed to be private.

sashko
  • 1,632
  • 1
  • 13
  • 20
3

These information are not sensitive, but if used together they could allow a client to create users into your cognito user poll, hence, have access to your application.

Requests to Admin methods require "userPoolId" which should be kept in your Back End. Client/Normal requests usually uses the "clientId", which could be more than one under the same user pool.

In summary "userPoolId" is your sensitive info and should not be exposed in your Client.

Note: Amplify.@auth requires both userPoolId and clientId, which is another security failure from them, however I have not seen them exposing the clientId in any request. Let's hope they fix this very soon.

Cleriston
  • 750
  • 5
  • 11
  • I dont think there's any harm in exposing these. Even AWS Amplify has aws-exports.js file stored n client side which has all these values including your dyanmodb table name, api paths, s3 bucket name, etc – Yusuf Aug 18 '21 at 20:19
  • Anyways if your app has signup feature, user can anyways create their user account in userpool – Yusuf Aug 18 '21 at 20:20