1. A development team is building a mobile application that authenticates users with Amazon Cognito User Pools. After authentication, the app receives an ID token, an access token, and a refresh token. The team wants to understand the correct usage of each token. Which of the following statements accurately describes the intended use of the ACCESS TOKEN in this context? (Select TWO)
- A. The access token is used to call Amazon Cognito User Pools API operations that require user authentication, such as changing a password✓ Correct
- B. The access token contains identity claims about the user (name, email) and is passed to the application backend to identify the user
- C. The access token is a JWT that contains scopes and group membership information used to authorize requests to an OAuth 2.0-protected API✓ Correct
- D. The access token should be passed to Amazon Cognito Identity Pools to obtain temporary AWS IAM credentials
- E. The access token is used to retrieve new ID and access tokens without requiring the user to re-authenticate
Explanation
Correct (A): The Cognito access token is specifically designed to authorize calls to Cognito User Pool API operations (e.g., ChangePassword, UpdateUserAttributes) that require the user to be authenticated. Correct (C): The access token is a JWT that carries OAuth 2.0 scopes and Cognito group memberships; it is the correct token to present to an API Gateway with a Cognito authorizer or a custom OAuth 2.0 resource server to authorize API access. Wrong (B): Identity claims about the user (name, email, sub, etc.) are contained in the ID TOKEN, not the access token. Wrong (D): To obtain temporary AWS credentials from an Identity Pool, the ID token (not the access token) is the correct token to present to the Identity Pool's GetId and GetCredentialsForIdentity calls. Wrong (E): Using a token to get new tokens without re-authentication is the role of the REFRESH TOKEN, not the access token.