Their recommendation applies when you use both the client ID of the application and the secret (usually in mobile development).
When you create an application, you can optionally create a secret for this application. If a secret is created for an application, the secret must be for using the application. Browser-based applications written in JavaScript may not need a secret application.
When you use Cognito on the Internet, you do not need to generate a secret (uncheck the box when creating an application in your user pool). This really leaves the application client identifier in clear text on the client, but there is no additional risk for this scenario than for the login page to be open to the Internet: an attacker can try to force your login independently.
What I'm sure Amazon does in this case (this is what people should do in the case of user logic anyway) protects against throttled requests, IP blacklists, etc., which significantly slows down attackers to the point where itโs impossible or not worth making brutal attacks.
In short, you donโt have to worry about leaving the application client ID embedded in your web interface code.
Hope this helps!
Andrei Papancea
source share