Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do i use amplify user permissions with external apps

0

hi, I am a new user of AWS amplify and I have built a front end with amplify gen 2. This front end would serve as a CMS platform. The platform will have different levels of user permissions and user pools. This platform will have links to external apps. These external apps are containerized apps and have their own repositories running on seperate EC2 instances and have own user permissions and user pools. What we are trying to achieve is that when a user logs into the CMS platform, it will use the same user permissions and pools as the CMS platform to log into the external apps. So, a user logs into amplify CMS platform. The user has been given permission to use external app B, C and D but does not have permission to access external app E and F not even with direct link to external apps. if they try the direct link to log into the external app, they should be redirected to CMS platform. How do i go about achieving this flow? Thank you in advance.

Topics
Front-End Web & MobileSecurity, Identity, & Compliance
Tags
Amazon CognitoAWS Identity and Access ManagementIAM PoliciesAWS Amplify
Language
English
asked a year ago187 views
1 Answer
0

To achieve the user permission flow you described with AWS Amplify and external containerized apps, you can implement a solution using OpenID Connect (OIDC) or SAML authentication, along with custom authorization logic. Here's an approach to accomplish this:

  1. Set up Authentication in Amplify: Use Amplify's authentication feature to manage user sign-in for your CMS platform. You can configure this in the amplify/auth/resource.ts file.

  2. Implement OIDC or SAML: Configure your Amplify auth to work as an OIDC or SAML provider. This will allow your external apps to use Amplify as the central authentication service.

  3. Custom Claims for Permissions: When setting up your auth, include custom claims in the JWT tokens that specify which external apps a user has permission to access. You can do this by customizing the Cognito User Pool that Amplify uses.

  4. External App Configuration: Configure your external containerized apps (B, C, D, E, F) to use the Amplify auth as their OIDC or SAML provider. This means they will defer authentication to your CMS platform.

  5. Authorization Check: In each external app, implement a check that verifies the custom claims in the JWT token to ensure the user has permission to access that specific app. If they don't have permission, redirect them back to the CMS platform.

  6. Redirect Unauthorized Access: For direct access attempts to external apps, implement a check at the entry point of each app. If the user is not authenticated or doesn't have the right permissions, redirect them to the CMS platform login page.

  7. Single Sign-On Experience: With this setup, once a user logs into the CMS platform, they will be automatically logged into the external apps they have permission to access, providing a seamless single sign-on experience.

To implement this, you'll need to work with both your Amplify setup and the individual external apps. You may need to use AWS CDK to customize some of the underlying AWS resources that Amplify creates, such as the Cognito User Pool, to add the custom claims functionality.

Remember to handle security carefully, ensuring that JWT tokens are properly validated and that all communication between your apps is encrypted. Also, consider implementing token refresh mechanisms to maintain user sessions securely across your ecosystem of apps.
Sources
New in AWS Amplify: Integrate with SQL databases, OIDC/SAML providers, and the AWS CDK | Front-End Web & Mobile
New in AWS Amplify: Expanded Fullstack Deployment Capabilities for Teams of All Sizes | Front-End Web & Mobile
AWS Amplify | Extensible Web & Mobile Apps | Amazon Web Services
Introducing the Next Generation of AWS Amplify’s Fullstack Development Experience | Front-End Web & Mobile

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content