AWS Amplify (AppSync + Cognito) Authorization using dynamic groups per organitzation/tenant

701 views Asked by At

I have an AWS Amplify application that has a structure with multi-organizations:

Organization A -> Content of Organization A Organization B -> Content of Organization B

Let's say we have the user Alice, Alice belongs to both organizations, however, she has different roles in each one, on organization A Alice is an administrator and has more privileges (i.e: can delete content or modify other's content), while on Organization B she is a regular user.

For this reason I cannot simply set regular groups on Amplify (Cognito), because some users, like Alice, can belong to different groups on different organizations.

One solution that I thought was having a group for each combination of organization and role. i.e: OrganizationA__ADMIN, OrganizationB__USER, etc So I could restrict the access on the schema using a group auth directive on the Content model:

{allow: group, groupsField: "group", operations: [update]},

The content would have a group field with a value: OrganizationA__ADMIN

Then I could add the user to the group using the Admin Queries API However, it doesn't seem to be possible to add a user to a group dynamically, I'd have to manually create each group every time a new organization is created, which pretty much kills my idea.

Any other idea on how I can achieve the result I'm aiming for? I know that I can add the restriction on code, but this is less safe, and I'd rather to have this constraint on the database layer.

1

There are 1 answers

3
Andrew Gillis On BEST ANSWER

Look into generating additional claims in you pre-token-generation handler

Basically you can create an attribute that includes organization role mapping

e.g.

{
// ...
  "custom:orgmapping": "OrgA:User,OrgB:Admin"
}

then transform them in your pre-token-generation handler into "pseudo" groups that don't actually exist in the pool.