Hello everyone,
I am trying to solve issue when one use can register with same email address in two or more different tenants apps. I will have user created for each tenant and will be stored in one pool. When user register, they will be assigned to a cognito group.
It should behave in following way:
1 pool 2+ groups:
user@email.com (group: tenant1)
if user user exists in tenant1:
tenant1.app.com/login (user@email.com/password) ⇒returns: user@email.com (group: tenant1)
if user user does not exists in tenant2:
tenant2.app.com/login (user@email.com/password) ⇒returns: 403 unauthenticated
user@email.com (group: tenant2)
if user user does exists in tenant2:
tenant2.app.com/login (user@email.com/password123) ⇒returns: user@email.com (group: tenant2)
Basically as user, I can register in two different websites, with one email and maybe same or different password. For every tenant, i will have new user created with same email address in one user pool but two different groups.
My questions are:
-
How to ensure, there is always new user created in cognito pool if we register from different tenant app (groups) ?
-
How can I implement login, so it checks, if the user with given password exist in certain group ?
-
Is there any better way of approaching this problem ? The reason i chose group per tenant over pool per tenant is that i can have 1000 -10000 groups in a pool1, so if i need(i would reach the limit of groups in 1 pool), i could start storing user in new pool so i would have another 1000 - 10000 groups per pool2.
So that would give me in total 1000 x (1000 to 10000) of groups if needed.
I hope i explained it in understandable way, i could find clear solution or advice for my problem. The most important for me would be the answer for question #2.
Many thanks,
Regards,
Miro
AWS OFFICIALUpdated 8 months ago
