Search code examples

Cognito - Authorization Code Grant without secret key

I have a frontend app which I want to connect with a Cognito User Pool.

I am using openidconnect playground to test the authentication flow and this is my Cognito configuration:

enter image description here

I have not put a client secret because I don't think it is safe to have the client secret in the frontend URL.

This is the app client settings:

enter image description here

Using Authorization Code Grant due the rest needs a client secret.

So, this is the URL to do the login:
&scope=openid customscope/router customscope/modem

After that, for the exchange to get the token I use this request:


But if I don't share the client_secret as param it returns an error.

How can I do the authentication process without the client secret? Is that possible? If not, how can I manage the client secret to avoid to manage it in the frontend application?



  • When using auth code grant type on public clients, you should use PKCE.