I am working on a project with AWS API Gateway, together with AWS Cognito to authenticate and authorize users. I defined my user group and added a resource server to add custom scopes, I currently have two of these:
Using Cognito, I created an Application Client, which is configured with a
Authorization code grant OAuth flows. I have allowed my custom scopes defined above. I have established a domain name for the user group and, as a result, I have a hosted UI that I can use to register / log in, etc.
I can see that it is configured by parameters in the URL, that is
What prevents an attacker from adding
com.mycompany.api/lender.cud to the list of scopes in the URL? This would allow them to use a valid login to add additional scopes to their JWT access token, which in turn is used by an API Gateway Authorizer to protect the endpoint. To try to combat this, I wrote my own implementation of a registration / login form using amazon-cognito-identity-js but it does not allow to define which scopes pass to the access token, and instead provides a scope of
Am I missing something obvious here? Do I need to write my own logic at the callback endpoint to determine if the user's access token should have the scopes in the payload?