Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
TL;DR: Amplify stores Cognito's long lived, never-rotating refresh tokens in local storage, where they can be stolen by any XSS vulnerability. A backend is needed in order to use `HttpOnly` cookies, but Cognito doesn't provide this for its users. You have to build it yourself, as with so many things in the AWS ecosystem.
Checkout https://supertokens.com/ - open source alternative to Auth0. It has a lot of free features and if you self host it, it's free at any scale. For our managed service, it's still far cheaper compared to Auth0.
You couldn't pay me to use their bullshit...if you need an identity server/provider go with Keycloak. Open source, free, and standards based, works better and scales better too.
Check out https://fusionauth.io/