Reputation: 88189
Additional authorization logic for Cognito User Pools User
If I use AWS Cognito User Pools, isit possible to specify roles of a user then check if this user has a specific role eg. Admin, Before he/she is able to access a resource eg. API Gateway
Upvotes: 0
Views: 276
Answers (1)
Reputation: 1767
You can use groups in Cognito User Pools and validate in custom Authorizer that the user is in adminGroup:
if (payload['cognito:groups'] &&
payload['cognito:groups'][0] === 'adminGroup') {
admin = true;
}
The payload here is what you get from identity token. If there is no cognito:groups, then the user is not in any group.
Another option is to take advantage of custom attributes in User Pools (the logic for validation in the Authorizer should be similar to the logic above).
Other solutions are also possible, but those are external to User Pools (e.g. keep track of user roles in external DB).
Whether it is groups or custom attribute (or other solutions), you would have to validate the user role in the custom authorizer. This way, the request will arrive to the custom Authorizer before API Gateway endpoint. If user should be admin, but he is not (not in adminGroup or doesn't have custom attribute 'admin'), you issue deny policy in the authorizer.
Hope this answers your question.
Upvotes: 1
Related Questions
- DIfferent Cognito Pool Authorizer by Api Gateway Stages
- How to use multiple Cognito user pools for a single endpoint with AWS API Gateway?
- AWS API Gateway - using Access Token with Cognito User Pool authorizer?
- AWS API Gateway Authorizer using Cognito Identity Pool
- AWS Api Gateway Authorizer + Cognito User Pool Not Working {"message": "Unauthorized"}
- AWS Cognito and AWS Api Gateway authorizations of users application
- I am confused how I am meant to control access in a API Gateway Rest API using Amazon Cognito User Pools
- AWS Cognito + API Gateway, Authorize based on username
- Cognito user pool for single admin
- Cognito User Pools with API Gateway