Is AWS Wrong?
2 comments
By offloading the service to AWS, they have the responsibility and liability of taking that on. That doesn't get you completely off the hook however - you still have a brand to protect. It would be worth your time to reach out to your AWS TAM to find out the justifications about this. They are pleasantly forward with a lot of their decisions in my experience.
Cognito supports OAuth integration, but itself isn't an implementation of OAuth.
Our architects are adamant that AWS is the sole authority here, but I want to understand why AWS seems to recommend using the ID token when I can't find recommendations anywhere else.