Why is ID token used instead of Access token to get temporary credentials in AWS?


After a user logons to cognito, he receives access and ID tokens. the ID token contains sensitive info like phone number, email, etc..

From all standards – ID token should not be used to gain access to an API: https://auth0.com/docs/tokens?_ga=2.253547273.1898510496.1593591557-1741611737.1593591372

In the backend, to get a session credential (to work with AWS resources) – you typically do this:

identity_id_response = boto3.client('cognito-identity').get_id(     IdentityPoolId=identity_pool_id,     Logins={         provider: id_token #ID token! not access token     } ) 

Then:

provider = f'cognito-idp.{region}.amazonaws.com/{user_pool_id}'  response = boto3.client('cognito-identity').get_credentials_for_identity(     IdentityId=identity_id_response,     Logins={         provider: id_token #access token again     }, ) 

Then, you can use AccessKeyId, SecretKey, SessionToken etc..

This is problematic as what if you want to send the ID token to multiple services (via SNS, etc..) so you could perform processing on behalf of the user? you basically send a sensitive token that contains sensitive user data over the backend.

So – it requires an encryption before sending this token, which seems like an overhead.

Any thoughts?