Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Multi-Tenant Authentication with AWS Cognito

Tags:

My current project is in AWS, using Cognito and microservices with Lambda. We have designed the microservices using DDD and are in the process of implementing basic functionality.

However, there is a business need for users of the API to be able to be categorised into the client company that they work for, and only be able to access data for that client company as well as any role-based authentication we will have.

This isn't a full multi-tenant solution as every user will be working with the same website, but their account will have been associated with a particular client.

Everything I have read about doing something like this in AWS suggests using one user role or pool per client and associating users with it when they are created, however we do not want to do this, as the clients typically consist of 2-3 users and there are many clients. This would quickly become unmaintainable in terms of number of user pools.

I tried to think of ways around this issue using "conventional" means, such as adding a domain service into the architecture which was solely designed to add client data to each request by a particular user by calling into the user microservice, but this seems overly complex. I also considered changing the architecture to include basic user and role information in each microservice, but that seems messy.

My question is are there any officially supported ways to add data into an AWS Cognito profile programmatically, and in such a way that this could be changed through a front-end website by a client admin after the account has been created? Even if it's just a clientId field in the token.

If not, then what would anybody who has experienced a similar issue recommend as an alternative to the user pools suggestion.

Thank you.

EDIT:

I have also been investigating several ways to do this using attributes on Cognito profiles, as mentioned here. It seems like this is the way to do more or less what I'm trying to achieve, but I'd still like to hear about alternatives or advice.

like image 639
GallJ93 Avatar asked Jul 11 '18 09:07

GallJ93

People also ask

Can AWS Cognito be used for authorization?

Amazon Cognito allows you to use groups to create a collection of users, which is often done to set the permissions for those users. In this post, I show you how to build fine-grained authorization to protect your APIs using Amazon Cognito, API Gateway, and AWS Identity and Access Management (IAM).

How do you authenticate on Amazon Cognito?

Configure the external provider in the Amazon Cognito console. Choose Manage Identity Pools from the Amazon Cognito console home page : Choose the name of the identity pool where you want to enable Login with Amazon as an external provider. The Dashboard page for your identity pool appears.

Can Cognito be an IdP?

However, a Cognito user pool is its own IdP. If an identity pool is configured correctly, it can use the app's user pools as an IdP. This way, users authenticate via user pools and are assigned IAM roles via identity pools.

Is Cognito Multi AZ?

In each Region, Amazon Cognito is distributed across multiple Availability Zones. These Availability Zones are physically isolated from each other, but are united by private, low-latency, high-throughput, and highly redundant network connections.

1 Answers

The solution we will use for this issue will be to use custom attributes as part of the Cognito user set-up. We will have text fields for additional attributes or groups that the user belongs to.

The way this should be implemented can be found at the following links:

  • Managing SaaS Identity Through Custom Attributes and Amazon Cognito
  • Managing SaaS Users with Amazon Cognito
  • SaaS identity and isolation with Amazon Cognito (Example Guide)
  • SaaS Storage Strategies

With this data being automatically passed into each service as part of the Cognito credentials, we will be able to check that the user has the valid credentials for accessing data specific to each client.

Examples of how to work with Cognito in a NodeJS application (sometimes with Serverless) include:

https://serverless-stack.com/chapters/login-with-aws-cognito.html

https://serverless-stack.com/chapters/add-a-create-note-api.html#configure-the-api-endpoint

This seems to be most easily achieved by using the aws-amplify package, which is primarily designed for front-end authentication, but which can be used in NodeJS for back-end authentication as specified here.

like image 163
GallJ93 Avatar answered Sep 19 '22 11:09

GallJ93
Sign in to Comment

Related questions

How to add a Project (.csproj) to Solution (.sln) under a Solution Folder using dotnet CLI (command line)?
Number of channels in pil (pillow) image
How to handle for promise inside a piped map
Easily check if a number is in a given Range in Dart?
How to perfect forward a member variable [duplicate]
Type system oddity: Enumerable.Cast<int>()
C++ copy constructor called at return
How is Node.js Knex similar/different to Sequelize?
Android Studio - Install failed. Installation failed <a href='rerun'>Rerun</a>
Why can a destructor change the state of a constant object?
How to make onclick function execute only once?
Difference between char and character objects

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!