Anders
Anders

Reputation: 3412

Handle one user in multiple "accounts" with AWS Cognito?

We have a use-case with using AWS Amplify and Cognito for user authentication where a user will be given certain roles for authorization, e.g. "create object", "delete object", etc.

Now we have a new requirement where a user should be able to belong to multiple organizations. This means that the user will have to have the option of belonging to different roles in different organizations, e.g. being able to delete in one organization but not in the other (being logged in with the same account/e-mail).

As there is a variable number of organizations creating groups or roles per organization is not an option (as there would potentially be millions of groups).

Can this be solved using Cognito at all or would a custom coded solution be preferred and only use Cognito for the authentication?

Upvotes: 0

Views: 1538

Answers (1)

yiksanchan
yiksanchan

Reputation: 1940

I proposed a doable solution to this requirements in https://github.com/aws-amplify/amplify-cli/issues/630. And it is working in my app.

Yes, as there could be so many organizations, it is not feasible to use a Cognito group to represent an organization.

The idea of my solution is to have 3 custom models: User, Organization, and Membership. This allows many-to-many relationships between users and organizations: A user can belong to multiple organizations, and an organization can employ multiple users.

  • User could contains its own info. You could also let a user has the same id as in cognito such that you can align a cognito user with a User stored in DynamoDB.
  • Organization could contains its own info.
  • Membership is the critical bridge as it connects to both ends (user and organization) and you can encode role info here.

See many-to-many section to understand how does Membership work in AWS Amplify GraphQL Transform.

The schema.graphql looks like:

type User @model {
  id: ID!
  organizations: [Membership] @connection(name: "Membership_User")
}

type Organization @model {
  id: ID!
  users: [Membership] @connection(name: "Membership_Organization")
}

type Membership @model {
  id: ID!
  user: User! @connection(name: "Membership_User")
  organization: Organization! @connection(name: "Membership_Organization")
  role: Role!
}

type Role {
  canCreate: Boolean!
  canDelete: Boolean!
}

In my github issue, think of Project as your Organization, and the rest are almost the same.

Upvotes: 3

Related Questions