CODEWITHSUNDEEP
amazon-web-servicesgraphqlaws-amplify
flashbackzoo
flashbackzoo

Reputation: 358

AWS Amplify @auth rule require multiple group membership

Is it possible to have auth rules requiring authenticated users to belong to multiple groups? For example "allow users who are in 'Tenant N' AND who are 'Editors'".

Our models are currently similar to this:

type MyModel
  @model
  @auth(rules: [
    { allow: owner },
    { allow: groups, groupsField: "tenantID" },
  ])
{
  id: ID!
  tenantID: String!
}

So using static group auth doesn't work for us:

type MyModel
  @model
  @auth(rules: [
    { allow: groups, groups: ["DynamicTenantId", "Editor"] }
  ])
{
  id: ID!
  tenantID: String!
}

Because tenantID is a dynamic value, we need to use dynamic group auth instead:

type MyModel
  @model
  @auth(rules: [
    { allow: owner },
    { allow: groups, groupsField: "tenantID" },
    { allow: groups, group: "Editor" },
  ])
{
  id: ID!
  tenantID: String!
}

But this doesn't work because it's an "OR", saying "allow anyone in the tenant OR anyone with the 'Editor' group".

Updating our models to use single dynamic group auth field doesn't work either:

type MyModel
  @model
  @auth(rules: [
    { allow: owner },
    { allow: groups, groupsField: "allowGroups" },
  ])
{
  id: ID!
  allowGroups: [String] # ['DynamicTenantId', 'Editor']
}

Because this an "OR" too, saying "allow anyone in the tenant OR anyone with the 'Editor' group".

Are there any other options, aside from a custom authenticator, to require multiple group membership?

Upvotes: 1

Views: 593

Answers (1)

flashbackzoo
flashbackzoo

Reputation: 358

Got an answer / workaround on the aws-amplify GitHub repo: https://github.com/aws-amplify/amplify-category-api/issues/28

Upvotes: 1

Related Questions