RossWilliams
commented
5 years ago Owner permissions currently allow specifying an arbitrary claim by using the 'identityField' parameter. If you want to process a claim that holds an array of strings, a current option is to add more items to the 'cognito:groups' claim using a Cognito Pre-Token Lambda. The documentation shows group modifications here. I do not use this myself, but I don't think its subject to limits of Cognito-managed groups.
Lastly, I have also requested this feature as well and currently have this implemented in a fork. A patch file you can use is attached to aws-amplify/amplify-category-api#403.
pspanchal
Is your feature request related to a problem? Please describe. I need to authorize a custom claim (example tenantID for multi-tenant app) in addition to group ownership in @auth directive.
Describe the solution you'd like Please allow custom claim to be validated against a field in the dynamoDB table for @auth directive. This is very similar to @group ownership directive.
Describe alternatives you've considered If I have a lot of tenants each with a number of groups - read-only, admin, root, power-users etc... then 1 alternative was to treat tenantID+group as a different group. But this would be too many combinations of groups and will quickly hit the hard limit of groups for the cognito User pool. The other option is to write a pipeline resolver just for this purpose. But this is also not ideal and need a declarative method of authorization against any custom claims as possible. Hence the suggested solution.
Additional context Reinvent 2018 talks of Multi-tenant SaaS to build good isolation down to data layer