oauth2 – Rest Services Aunthentication and Authorization with AWS Cognito

I am designing the authentication and authorization flow of my mobile and web applications. I plan to use the AWS Cognito identity provider.

  1. Use AWS Amplify and signup the user from the front-end.
    Question: The signup will happen totally independently. My backend (Spring boot Rest services) wouldn’t even know about this new user.

  2. Use AWS Amplify and sign in the user from the front-end.
    Question: Is it secured? Anyone can get hold of the access token and refresh token returned by the identity provider (AWS Cognito). Exposing access tokens may not be a threat a great deal, exposing refresh tokens, on the other hand, can lead to serious security leaks. The refresh tokens never expire and therefore can be used for fetching a new set of access and refresh tokens.

If the above points are valid security concerns, should one do this signup and sign in from the back-end?

  1. Sign up:
    Font-end may call a backend API to sign up a user. Backend in turn calls the identity provider’s (Cognito) API to sign up the user.

  2. LOGIN:
    Front-end provides the user credentials and calls a backend API (my Spring rest service). The backend API (my Spring rest service) in turn calls the identity providers API to fetch the access and refresh tokens. The refresh token is saved in the DB and is used for fetching new access tokens when required. The access token (And not the Refresh token) is returned to the front-end for it to pass with every other backend API (my Spring rest service) call.

I may have taken a totally different approach to Authentication by running my own Authorization server (Spring Authorization server) in place of an identity provider like AWS Cognito. Below are the main reasons why I am not going in that direction:

  1. Spring Authorization server is deprecated by the Spring team. The team has started rewriting the whole project and is still a work in progress.

  2. Maintaining and securing a custom Authorization server may not be a very scalable solution.

  3. A custom user pool management may be a tedious task in securing the user data, data sync, etc.

Am I thinking in the right direction in securing my backend spring-boot-based restful services? Is AWS Cognito the right choice for this use case? If it is a good fit for my use case, how do use it in the most secured and scalable manner?