Reputation: 3412
Handle one user in multiple "accounts" with AWS Cognito?
We have a use-case with using AWS Amplify and Cognito for user authentication where a user will be given certain roles for authorization, e.g. "create object", "delete object", etc.
Now we have a new requirement where a user should be able to belong to multiple organizations. This means that the user will have to have the option of belonging to different roles in different organizations, e.g. being able to delete in one organization but not in the other (being logged in with the same account/e-mail).
As there is a variable number of organizations creating groups or roles per organization is not an option (as there would potentially be millions of groups).
Can this be solved using Cognito at all or would a custom coded solution be preferred and only use Cognito for the authentication?
Upvotes: 0
Views: 1538
Answers (1)
Reputation: 1940
I proposed a doable solution to this requirements in https://github.com/aws-amplify/amplify-cli/issues/630. And it is working in my app.
Yes, as there could be so many organizations, it is not feasible to use a Cognito group to represent an organization.
The idea of my solution is to have 3 custom models: User, Organization, and Membership. This allows many-to-many relationships between users and organizations: A user can belong to multiple organizations, and an organization can employ multiple users.
Usercould contains its own info. You could also let a user has the sameidas in cognito such that you can align a cognito user with aUserstored in DynamoDB.Organizationcould contains its own info.Membershipis the critical bridge as it connects to both ends (user and organization) and you can encode role info here.
See many-to-many section to understand how does Membership work in AWS Amplify GraphQL Transform.
The schema.graphql looks like:
type User @model {
id: ID!
organizations: [Membership] @connection(name: "Membership_User")
}
type Organization @model {
id: ID!
users: [Membership] @connection(name: "Membership_Organization")
}
type Membership @model {
id: ID!
user: User! @connection(name: "Membership_User")
organization: Organization! @connection(name: "Membership_Organization")
role: Role!
}
type Role {
canCreate: Boolean!
canDelete: Boolean!
}
In my github issue, think of Project as your Organization, and the rest are almost the same.
Upvotes: 3
Related Questions
- Creating different User Types in AWS Amplify
- Referencing a cognito user in database
- Setting aws-amplify user session manually
- How can I create 2 different type of users using AWS Cognito?
- Best practice for multiple user types in AWS Cognito?
- Accessing the Same User Pool Account with Multiple Federated Identities?
- Amazon Cognito MFA on a user by user basis?
- Support multiple user pools or organizations in Cogntio/AWS Amplify?
- Cognito: One account with multiple login names
- Can aws-amplify support multiple concurrent logins that can be switched amongst?