1

After quite a battle I have written a testing desktop app that allows a user to authenticate with AWS Cognito. I can allow AWS to handle the authentication, password storage, etc. This solves some issues - why reinvent the wheel?

Now my question is I have various resources in the app that needs granular permissions for. How would I use Cognito to control access to non AWS resources in my app?

Eric Snyder
  • 1,816
  • 3
  • 22
  • 46

1 Answers1

1

I would recommend using a custom attribute since you mentioned non-AWS services. Creating an attribute named customer:role with the value of ROLE_USER, ROLE_ADMIN and so on.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes

Once they are authenticated in the app you can control their permissions from decoding the custom attribute. This tutorial is more for permissions with AWS services in a SAAS multi-tenant approach. However, I found it extremely useful to learn from.

https://aws-quickstart.s3.amazonaws.com/saas-identity-cognito/doc/saas-identity-and-isolation-with-cognito-on-the-aws-cloud.pdf

Switcher
  • 112
  • 12
  • Thank you so much. I don;t know about you but I have had a bit of a hard time onboarding with Cognito. Perhaps it is because I am not too bright or perhaps it's a bit confusing. I have also found some of the tutorials are a bit hard to follow. I was thinking that the answer might be found in custom attributes, thanks for the confirmation. – Eric Snyder May 17 '19 at 12:35
  • @EricSnyder Yes I think it is one of the least documented services by AWS. All the examples I find are very shallow and/or a very outdated version. The AWS quick start sets up a nice full environment using almost all of the features of the user pools and federated identities. The auto config of spring security 5 is what really sealed the deal on choosing Cognito. – Switcher May 21 '19 at 14:47
  • "The auto config of spring security 5 is what really sealed the deal on choosing Cognito." Do you mean Spring.net Framework https://springframework.net/? – Eric Snyder May 22 '19 at 22:37
  • @EricSnyder Yes spring security 5 allows you to setup basically everything in the properties file and just redirect back to your app after login through cognito. Here is an example I followed: https://stackoverflow.com/questions/48327369/amazon-cognito-oauth2-with-spring-security – Switcher May 23 '19 at 15:21
  • Spring 5 for Java correct? Or is this a C# library? – Eric Snyder May 23 '19 at 19:40
  • @EricSnyder Java, unsure if there is a C# equivalent. – Switcher May 24 '19 at 20:17