AWS Cognito用户池ID和App Client ID是机密的吗? [英] Are AWS Cognito User Pool ID and App Client ID secret?
问题描述
有2个问题.
- AWS Cognito用户池的UserPoolId和AppClientId秘密吗?
- 如果是的话,您如何确保它们的安全?我见过的所有库(aws-amplify/amazon-cognito-identity-js)似乎都是基于客户端的.
我在这里想念什么.似乎您向这两个恶意用户提供了具有这2条信息的JS访问密钥,以进入Cognito王国.
What am I missing here. It seems like you give any malicious user with JS access keys to the Cognito kingdom with these 2 pieces of information.
推荐答案
它们不是秘密.
实际上,ID令牌包含作为用户池ID的 iss 声明(属性)和作为App Client ID的 aud 声明.
In fact, the ID token contains the iss claim (property), which is the User Pool ID, and the aud claim, which is the App Client ID.
访问令牌包含 iss 声明,该声明又是用户池ID,而它是表示应用客户端ID的 client_id 声明.
The Access token contains the iss claim, which again is the User Pool ID, while it's the client_id claim which represents the App Client ID.
如果这些令牌中的任何一个被坏演员拦截,那么它们就可以对令牌进行解码,因为它们只是base64编码的(未加密).
Should either of these tokens be intercepted by a bad actor, then they can decode the tokens, as they are just base64 encoded (not encrypted).
但是,只要正确地验证了JWT,仅知道这2条信息通常对攻击者来说并不是非常有用.
However, just knowing these 2 pieces of information is not usually terribly useful for an attacker, as long as the JWTs are validated correctly.
它不授予攻击者访问用户池本身的权限,因为它需要仅分配给用户的AWS凭证,或者已经经过正确身份验证的身份(然后由ID池发出的凭证).
It does not give the attacker access to the User Pool itself as that requires AWS credentials, which are only assigned to users, or identities that have already been properly authenticated (and then issued credentials e.g. by ID Pools).
就访问api而言,攻击者可能希望以某种方式修改有效负载,以便更改请求中的数据.例如,他们可能想将假设的 role 声明从 user 更改为 admin ,以便提升特权并访问他们不应该访问的区域.通过在服务器端正确验证JWT令牌以确保有效载荷未被篡改,可以缓解这种情况.
In terms of accessing an api, an attacker might want to modify the payload in some way in order to change the data in the request. For instance they may want to change a hypothetical role claim from user to admin in order to escalate privileges and access areas that they shouldn't. This is mitigated by correctly validating the JWT tokens server-side to ensure that the payload has not been tampered with.
另一种类型的api攻击可能是使用针对一个api进行了正确身份验证的令牌来访问另一个api(JWT替代).通过验证 iss 和 aud 声明,以确认JWT是专门发布给预期的用户池和应用程序客户端,可以缓解这种情况.
Another type of api attack could be to use a token that was correctly authenticated for one api to access another api (JWT substitution). This is mitigated by validating the iss and aud claims in order to confirm that the JWT was specifically issued to the expected User Pool and App Client.
这篇关于AWS Cognito用户池ID和App Client ID是机密的吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
