4

I am using AWS Cognito's hosted UI for user login. The id token is returned as part of the URL as described in https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html. Namely,

You can find the JSON web token (JWT) identity token after the #idtoken= parameter in the response. Here's a sample response from an implicit grant request. https://www.example.com/#id_token=123456789tokens123456789&expires_in=3600&token_type=Bearer

However, putting sensitive data in a query string is considered a bad practice (Is an HTTPS query string secure?). Does AWS Cognito support a more secure way of returning the id token?

Big Pumpkin
  • 3,907
  • 1
  • 27
  • 18
  • 1
    I realized that the id token is NOT in a query string. As a URL fragment, it is not sent to the server. The server page that handles this URL can use Javascript to parse and save the id token in the browser. – Big Pumpkin Sep 06 '20 at 05:25

1 Answers1

5

Instead of token you can ask cognito to send you the Authorization code. From Documentation:

The authorization code grant is the preferred method for authorizing end users. Instead of directly providing user pool tokens to an end user upon authentication, an authorization code is provided. This code is then sent to a custom application that can exchange it for the desired tokens. Because the tokens are never exposed directly to an end user, they are less likely to become compromised.

Source: https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

Ninad Gaikwad
  • 4,272
  • 2
  • 13
  • 23
  • 1
    Thanks for sharing the blog post! It is much more informative than the Cognito Developer Guide. The `authorization code grant` requires writing server side code. The ideal solution I am hoping for is 1) no server side code, 2) the id_token moved from the query string parameter to a header, for example. – Big Pumpkin Nov 26 '19 at 20:16