I am creating an application where :
- I have a REST API - /hello
- The user should be able to access this API only if he/she is logged in.
For this purpose, I decided to use AWS Cognito and implement the Oauth 2.0 flow.
Now, when the user tries to access /hello, they get redirected to an AWS Cognito login page. After the user logs in, my server side application (containing the REST API /hello) can get the id_token and access_token from AWS Cognito.
Should I pass this id_token to the browser, and ask the browser to send it while accessing the /hello REST API? Does this have any security implications? Is this the right way?
Or, after the user is authenticated, should I create a new id_token which is signed by my own custom key, and then send it to the browser? The user will send it back while trying to access the /hello REST API. I will then validate whether the id_token is valid using my custom key.
The purpose of the id_token is to validate that the user's session is valid and has not expired. Should the id_token be used for session management?