0
votes

I am creating an application where :

  1. I have a REST API - /hello
  2. The user should be able to access this API only if he/she is logged in.

For this purpose, I decided to use AWS Cognito and implement the Oauth 2.0 flow.

Now, when the user tries to access /hello, they get redirected to an AWS Cognito login page. After the user logs in, my server side application (containing the REST API /hello) can get the id_token and access_token from AWS Cognito.

Should I pass this id_token to the browser, and ask the browser to send it while accessing the /hello REST API? Does this have any security implications? Is this the right way?

Or, after the user is authenticated, should I create a new id_token which is signed by my own custom key, and then send it to the browser? The user will send it back while trying to access the /hello REST API. I will then validate whether the id_token is valid using my custom key.

The purpose of the id_token is to validate that the user's session is valid and has not expired. Should the id_token be used for session management?

1

1 Answers

0
votes

So the goal is to avoid use of cookies in your React Web UI, and to use tokens instead, with a stateless back end. I totally agree with this goal.

OPTION 1

Pass tokens from the web back end to the UI which can use them to maintain a client side session. This requires a Spring endpoint that is called via Ajax and it needs to be secured via cookies. Otherwise an attacker can call that endpoint and get tokens.

OPTION 2

Do the OAuth login handling in your React app via the oidc client library rather than in a Spring web back end, so that your UI is a pure cookieless SPA. Use Spring solely as an OAuth secured resource server. Use static content hosting for HTML / JS files, perhaps via AWS Cloudfront.

MY SOLUTIONS

If interested in option 2 I have a demo React app that works like this and connects to Cognito. You can run it yourself from my Quick Start Page.

Here is the SPA OAuth Code. Meanwhile my Spring Sample only acts as a Rest API and does not do any web login handling.