AWS cognito SRP calculations on JS browser app

Question

I'm a webDev and I need to integrate a login page using AWS cognito User Pools. I can't use the integrated UI so I'm using @aws-sdk/client-cognito-identity-provider.

I'm not in a secure server environment and can't keep secrets so I'd like to use SRP to login via the InitiateAuthCommand. I guess it's the recommended flow in the docs. This aws srp auth doc flow page talks about 'SRP calculations' but I can't find any way to do it with the SDK nor any lead in the doc.

After some research, the crypto requisite to implement this myself are too high to make this solution secure.

So my question is : How are you supposed to use SRP without the integrated UI ? Is this even possible without strong security knowledge ?

I have found some third-party libs, but I find it really weird to have to rely on this for such a critical part of an application when using AWS.

Answer 1

You may have misunderstood the doc here. Your actual concern seems to be about how to implement SRP. This isn't a valid concern because the document mentions that:

The app generates SRP details with the Amazon Cognito SRP features that are built in to AWS SDKs.

You don't need to worry about the details of SRP implementation. The SDK will handle that for you.

Here's the second part of the question: How can you securely use Amazon Cognito in an unsecured environment like a web frontend or mobile app? Since Cognito offers two types of operations:

1. Authenticated operations: These require IAM credentials, an access token, a session token, a client secret, or a combination of these.
2. Unauthenticated operations: These don't require including any secrets in your code. Please refer to this link and open the "Unauthenticated user operations" section for more details.

If you're interested in the actual code implementation, there are examples of usage in JS that you can easily copy and paste into your project (be sure to follow any required prerequisites).