How to implement DPoP or other proof-of-possession techniques for AWS cognito

We're interested in implementing proof-of-possession, like DPoP to secure OAuth tokens sent from the client to our Cognito authentication backend against replay attacks. Is there functionality built into the Cognito user client SDKs (or Amplify client SDKs) that supports this.

Or is the recommendation that we should just build our own client libraries and implement authentication lambdas and do it ourselves? If the later, please consider adding support for this to your roadmap. This functionality is currently supported by other identity services in some capacity like Okta, Auth0, ConnectId, Google cloud, Azure etc.

https://developer.okta.com/docs/guides/dpop/nonoktaresourceserver/main/

Topics

Security, Identity, & Compliance Front-End Web & Mobile

Tags

Security, Identity, & Compliance AWS Amplify Amazon Cognito

Language

English

rePost-User-8472021

asked 2 months ago234 views

2 Answers

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello

You are right, as of today the best way to do this is to implement a lambda trigger, as described in this doc : https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

Best regards Serge

Serge

answered 2 months ago

Hello there,

I understand that you would like to know if there is an existing functionality with Cognito to implement proof-of-possession to secure OAuth tokens sent from the client to Cognito authentication backend against replay attacks.

At the moment, AWS Cognito does not have a native functionality to implement proof-of-possession to secure OAuth tokens sent from the client to Cognito authentication backend.

However, as you pointed out correctly the above use case can be achieved by implementing authentication Lambdas/ Lambda triggers on your Cognito Userpools. The below document elaborates more on integration of Lambda triggers with Cognito userpools.

[+] https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

Additionally, Cognito now supports customisation of access tokens via a Lambda trigger. The below article give more details on the same and how to achieve your requirement with a Pre token generation Lambda trigger.

[+] https://repost.aws/articles/ARlRBV5B86TzmrD6TJvMuHpQ/aws-cognito-finally-supports-custom-claims-for-access-tokens

Shreeya

answered 2 months ago

Relevant content

AWS Lambda NET & Cognito: How to implement RBAC?
Oleg
asked a year ago
How can I revoke tokens created through Cognito oauth/token url?
Jeremy Marck Villanueva Rivera
asked 2 years ago
is there a possibility to inject user information in the access token generated from AWS Cognito using oauth client credentials grant
baski84
asked a year ago
Error while implementing Azure AD as OIDC provider in AWS Cognito - (401 error getting token)
Accepted Answer
Ganesh Mohanraj
asked 3 years ago
How do I implement best practices for Redis clients and ElastiCache for Redis self-designed clusters?
AWS OFFICIALUpdated a month ago
How do I authorize access to API Gateway APIs using custom scopes in Amazon Cognito?
AWS OFFICIALUpdated a year ago
How do I revoke JWT tokens in Amazon Cognito using the AWS CLI?
AWS OFFICIALUpdated a year ago
How can I get custom scopes in the access token when I make an InitiateAuth or AdminInitiateAuth API call?
AWS OFFICIALUpdated 6 months ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published 4 months ago
How to Implement OpenID on AWS
EXPERT
Sedat Salman
published a year ago