AWS cognito documentation change
Summary
Updated documentation for client metadata handling in M2M authentication flows with explicit parameter example
Security assessment
Added detailed instructions for secure client metadata handling in machine-to-machine authentication flows. While security-related, there's no evidence this addresses a specific vulnerability - rather enhances documentation of existing security controls.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md b/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md index 8f79d99d0..6ee486fdf 100644 --- a//cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md +++ b//cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md @@ -64,2 +63,0 @@ The access token from a client credentials grant is a verifiable statement of th -You can pass [client metadata](./cognito-user-pools-working-with-lambda-triggers.html#working-with-lambda-trigger-client-metadata) in M2M requests. Client metadata is additional information from a user or application environment that can contribute to the outcomes of a [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html). Instead of in the body of an API request like with other Lambda triggers, you pass client metadata in `x-www-form-urlencoded` in the POST body of a request to the [Token endpoint](./token-endpoint.html). For an example request, see [Client credentials with basic authorization](./token-endpoint.html#exchanging-client-credentials-for-an-access-token-in-request-body). - @@ -69,0 +68,7 @@ For information about optimizing Amazon Cognito operations that add costs to you +###### Client metadata for machine-to-machine (M2M) client credentials + +You can pass [client metadata](./cognito-user-pools-working-with-lambda-triggers.html#working-with-lambda-trigger-client-metadata) in M2M requests. Client metadata is additional information from a user or application environment that can contribute to the outcomes of a [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html). In authentication operations with a user principal, you can pass client metadata to the pre token generation trigger in the body of [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html) and [RespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html) API requests. Because applications conduct the flow for generation of access tokens for M2M with direct requests to the [Token endpoint](./token-endpoint.html), they have a different model. In the POST body of token requests for client credentials, pass an `aws_client_metadata` parameter with the client metadata object URL-encoded (`x-www-form-urlencoded`) to string. For an example request, see [Client credentials with basic authorization](./token-endpoint.html#exchanging-client-credentials-for-an-access-token-in-request-body). The following is an example parameter that passes the key-value pairs `{"environment": "dev", "language": "en-US"}`. + + + aws_client_metadata=%7B%22environment%22%3A%20%22dev%22,%20%22language%22%3A%20%22en-US%22%7D +