AWS cognito medium security documentation change
Summary
Added documentation about PKCE support and refresh token grants
Security assessment
PKCE (Proof Key for Code Exchange) is a security feature that prevents authorization code interception attacks. Explicitly documenting support qualifies as security documentation addition
Diff
diff --git a/cognito/latest/developerguide/federation-endpoints-oauth-grants.md b/cognito/latest/developerguide/federation-endpoints-oauth-grants.md index 565da542a..fe4e92e03 100644 --- a//cognito/latest/developerguide/federation-endpoints-oauth-grants.md +++ b//cognito/latest/developerguide/federation-endpoints-oauth-grants.md @@ -12 +12 @@ The Amazon Cognito user pool OAuth 2.0 authorization server issues tokens in res -In response to your successful authentication request, the authorization server appends an authorization code in a `code` parameter to your callback URL. You must then exchange the code for ID, access, and refresh tokens with the [Token endpoint](./token-endpoint.html). To request an authorization code grant, set `response_type` to `code` in your request. For an example request, see [Authorization code grant](./authorization-endpoint.html#sample-authorization-code-grant). +In response to your successful authentication request, the authorization server appends an authorization code in a `code` parameter to your callback URL. You must then exchange the code for ID, access, and refresh tokens with the [Token endpoint](./token-endpoint.html). To request an authorization code grant, set `response_type` to `code` in your request. For an example request, see [Authorization code grant](./authorization-endpoint.html#sample-authorization-code-grant). Amazon Cognito supports [Proof Key for Code Exchange (PKCE)](./using-pkce-in-authorization-code.html) in authorization code grants. @@ -31,0 +32,5 @@ Client credentials grants add costs to your AWS bill. For more information, see +**Refresh token** + + +You can request a refresh token grant directly from the [Token endpoint](./token-endpoint.html). This grant returns new ID and access tokens in exchange for a valid refresh token. +