Amazon Cognito now enables app clients to specify resource indicators during access token requests as part of its OAuth 2.0 authorization code grant and implicit grant flows. The resource indicator identifies the protected resource, such as a user’s bank account record or a specific file in a file server that the user needs to access. After authenticating the client, Cognito then issues an access token for that specific resource. This ensures that access tokens can be limited from broad service level access down to accessing specific individual resources.
This capability makes it simpler to protect resources that a user needs to access. For example, agents (an example of app clients) on behalf of users can request access tokens for specific protected resources, such as a user’s banking records. After validation, Cognito issues an access token with the audience claim set to the specific resource. Previously, clients had to use non-standard claims or scopes for Cognito to infer and issue resource-specific access tokens. Now, customers can specify the target resource in a simple and consistent way using standards-based resource parameter.
This capability is available to Amazon Cognito Managed Login customers using Essentials or Plus tiers in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to the developer guide, and pricing for Cognito Essentials and Plus tier.
Categories: general:products/aws-govcloud-us,general:products/amazon-cognito,marketing:marchitecture/security-identity-and-compliance
Source: Amazon Web Services
Latest Posts
- Amazon Redshift Serverless is now available in the AWS Asia Pacific (Osaka) and Asia Pacific (Malaysia) regions
- Dataverse Storage Corrected, No Action Needed [MC1180870]
- Microsoft Copilot Studio – Add and configure tool groups to agents [MC1180873]
- Microsoft Copilot Studio – Automate approvals decisions with Intelligent Approvals [MC1162218]
