define per user custom scope for cognito

Question

How can I define custom scopes on a per user basis using cognito?

For example I have scope resource1.read, resource1.write

I want user A to have resource1.read and resource1.write while user B has resource1.read only.

This is just a high level example. We have tons of different resources and wants to allow customers to manage what resource each user has access to.

I havent found a way to associate scopes with each individual users but only at a per pool level.

Is there a way to achieve this using only cognito or cognito + some AWS manged service or do I have to implement another API to manage the scopes myself?

Answer 1

we couldn't find a way to make scope work on per user basis so we ended up using the custom attributes instead.

if you have less than 25 scopes (cognito max limit) then you can use one attribute per scope. P.S. just be aware you can't rename/remove the attribute once its in place unless you delete the whole pool and start over again.

For example your attributes might look like:

custom:resource1.read : "true"
custom:resource1.write : "false"
custom:resource2.read : "true"
custom:resource2.write : "true"

the idea is simple. instead of having all the scopes defined inside the scopes array we define it in regular custom attributes. When the code checks for scopes just loop thru all fields and find the one with correct prefix.