Amplify-cli: Adding support for multi-tenancy using third-party authentication providers
Note: If your feature-request is regarding the AWS Amplify Console service, please log it in the
official AWS Amplify Console forum
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
My team is currently using Auth0 as our third-party OIDC provider but using this and the Amplify @auth transformer is proving to be difficult when implementing multi-tenancy.
Describe the solution you'd like
A clear and concise description of what you want to happen.
Ideally, something where additional fields can be passed in, possibly with the allow: groups option, would be ideally combined with the providers: oidc option in the transformer. Being able to pass in arrays/multiple values from the received third-party token (in this case from Auth0) could be handled in a similar manner to how the owner field is currently managed.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
We were able to get the "single user" @auth working using the provider: oidc option for the owner field. However, this was limited as no arrays can be passed in.
Switching over to the groups option caused additional difficulties trying to set up/implement Cognito pools. Because we're still using Auth0, we tried "mirroring" user profiles into the Cognito pools but this is not fully working and a pretty clunky workaround.
Additional context
Add any other context or screenshots about the feature request here.
If a better option to what we're trying (combining third-party providers like Auth0 with "group"-level configurations) with multi-tenancy, any suggestions would be welcome.
It's worth noting that there are several open issues that address similar/important aspects of this issue:
- #2705 is very similar, if not the same, request; we're specifically interested in supporting multi-tenancy
- #2241 raises some technical/security issues that are important to keep in mind
- #177 is another issue that might need to be addressed using third-party providers
- #18 and #1578 as well
forstmeier
All 4 comments
This is something i am interested in.
jphgardner02
on 3 Jan 2020
I'm not sure if there is a technical reason why groups is blocked from being used with oidc providers, other than the confusion it could cause users who don't realise they would have to specify a custom groupClaim property.
In packages/graphql-auth-transformer/src/ModelAuthTransformer.ts:2022 there is a check, but it would be interesting to remove this and see if group auth with groupClaim works for your case.
RossWilliams
on 5 Jan 2020
I believe this merged pr might addresses using groups with oidc as a provider.
SwaySway
on 28 Jan 2020
Closing this issue as the pr has been merged and is included in the latest release.
SwaySway
on 28 Feb 2020
Related issues
mwarger
路
3Comments
darrentarrant
路
3Comments
zjullion
路
3Comments
rehos
路
3Comments
jkeys-ecg-nmsu
路
3Comments
Most helpful comment
I'm not sure if there is a technical reason why groups is blocked from being used with oidc providers, other than the confusion it could cause users who don't realise they would have to specify a custom groupClaim property.
In packages/graphql-auth-transformer/src/ModelAuthTransformer.ts:2022 there is a check, but it would be interesting to remove this and see if group auth with groupClaim works for your case.