0

I am working on a React Project and in there I want to use AWS Cognito for Role Based Authentication. My Project will be having multiple roles like Super User, User, Admin, Super Admin, etc. and to achieve this I have created multiple userpools. As in 1 userpool for each role and Everything is working correctly but turned out that I can achieve same functionality within single userpool by making groups in it.

So, The problem is that for now I am using 'aws-cognito-identity-js' library to authenticate users. but in that Library I couldn't find any code related to Userpool Groups and also I tried to find another library related to Userpool Groups but I couldn't find any. So, How can I integrate that Groups Logic into my React App?!

D_Gamer
  • 168
  • 12

1 Answers1

2

When you login to the userpool you get an ID-Token. The payload of this ID token also contains the groups the user belongs to.

let 
  [header, payload, signature] = idtoken.split("."),
  jsonPayload = JSON.parse(atob(payload)),
  groups = jsonPayload["cognito:groups"]

Of course you can also use your favourite JWT library (maybe even amazon-cognito-identity-js has something included) to verify and parse the ID token and extract the desired claims from it.

EDIT

amazon-cogito-identity-js cannot be used to manage groups during self-signup of a user. IMHO it would be counter-intuitive and a security flaw, that a user can add himself to a group (which probably has certain security implications in your app) without administrative intervention.

If you really want allow the newly created user to select which groups he belongs to, you can do that via a Post Confirmation Trigger on the userpool.

  1. Add the desired groupname for instance as a custom attribute while signing up the user.

  2. Once the user is confirmed the post confimation trigger (a lambda function) is executed. This lambda function has to have the necessary permissions to execute the AdminAddUserToGroup command.

  3. Within the trigger (which receives the user's attributes as parameter) execute the mentioned AdminAddUserToGroup command.

derpirscher
  • 14,418
  • 3
  • 18
  • 35
  • okay! fair enough but you are saying that I'll get the ID token when I'll log the user in so, what about when I want to register new user in some group? – D_Gamer Nov 30 '21 at 04:19
  • During self-signup? Would be rather counter-intiutive that a user can sign himself up to the "SuperUser" group, don't you think? And if you are creating/modifying users from an administrativ account you can always use the [AWS SDK](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/classes/adminaddusertogroupcommand.html) – derpirscher Nov 30 '21 at 09:01
  • No, I mean what if some user wants to signup and that user meant to be registered in "user" role then on my React App , that user will provide email and password for signing up as well as he/she needs to select the role on my react app and then my app will use that "aws-cognito-identity-js" library and request to cognito for new user signup with selected group. So, How do I do that ?! – D_Gamer Nov 30 '21 at 11:01
  • Hi, I was thinking maybe add the users to the user group by default. I assume you might create a super admin or admin manually, who could add the users required to higher roles like admin from the app. – king.reflex Oct 29 '22 at 16:15