I have a frontend app which I want to connect with a Cognito User Pool.
I am using openidconnect playground to test the authentication flow and this is my Cognito configuration:
I have not put a client secret because I don't think it is safe to have the client secret in the frontend URL.
This is the app client settings:
Using Authorization Code Grant due the rest needs a client secret.
So, this is the URL to do the login:
https://myuserpoolname.auth.eu-west-1.amazoncognito.com/oauth2/authorize?
client_id=YYYYYYYYY
&redirect_uri= https://openidconnect.net/callback
&scope=openid customscope/router customscope/modem
&response_type=code
&state=2282ed48ec2fc0eb0806a532f2eQQf02d0918949
After that, for the exchange to get the token I use this request:
POST https://myuserpoolname.auth.eu-west-1.amazoncognito.com/oauth2/token
grant_type=authorization_code
&client_id=YYYYYYYYY
&redirect_uri=https://openidconnect.net/callback
&code=bd105ab3-Z-X-Y-6109170d1e46
But if I don't share the client_secret as param it returns an error.
How can I do the authentication process without the client secret? Is that possible? If not, how can I manage the client secret to avoid to manage it in the frontend application?
Thanks.
When using auth code grant type on public clients, you should use PKCE.