AWS Cognito use custom attribute to map Spring application ROLE instead of cognito:groups

Question

In my application the users are split in 2 macro categories: Customer and Backoffice, every category has a subset of role, for example MANAGER and USER for Customer type and different ones for the Backoffice type.

So a user could be a Customer with a MANAGER role or a Backoffice with, for example, a SALES role.

Every Spring + Cognito guide on web uses cognito:groups to map the Spring ROLE, but for my case I would need to nest groups which is not possible on Cognito. I've been thinking to use 2 custom attributes ( writable only by the admin) to set the category and role of the user respectively.

My question is, is there any disadvantage to using attributes instead of the groups?

Answer 1

One major concern is, those custom attributes won't be available as claims in the access token. But groups are available. So If you plan to use acces_token you may have to consider that.

There are some other minor considerations that I can think of, which may or may not be related your implementation:

• Maximum number of custom attributes per user pool is 50.
• Once created, you can not edit the name, min/max length and mutable property of the custom attribute. Also we can not delete that.

Even though nested groups are not supported in Cognito, is it not an option to create groups like: category_role? example: Customer_ MANAGER?