2

I am using AWS Cognito User Pool to secure my web app, mobile app and APIs. I have a database with roles and permissions defined. I would like to add "roles" to Access Token during login process so that I do not need to make a database call to check for user roles.

I will not be able to use Cognito custom attributes because people can create custom roles from the front end and all of this information is saved in a database.

user1868744
  • 963
  • 1
  • 13
  • 27

1 Answers1

5

I don't think Cognito supports this. Also, the custom roles would be harder to manage in the Authorization Server, since they are domain data that will change frequently.

ALTERNATIVE OPTION

  • Look up the user roles from your own database
  • Store roles in a ClaimsPrincipal
  • But only do this when a token is first received
  • Cache claims for subsequent API requests with the same token

This enables you to store data in the correct places while also giving your API what it needs to authorize requests, and performing well.

RESOURCES ON THIS DESIGN PATTERN

EXTENSIBLE SOLUTION

Fell free to adapt the above pattern in a way that works for you. The key goal is to make it easy for each API to manage and extend data used for identification and authorization.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24