I have a Jamstack site with Cognito authentication which is deployed through Netlify. The aim should be to have only one codebase and a user pool with predefinded groups for each team for the application. Each deployed version of the codebase is routet to their own URL of a team. A team includes the roles of manager, editor & staff and is setup by myself and the first user has the role of manager to manage and signup further users within the application via the admin api. How can I solve the problem to get to know the right user pool of the team the user belongs to at login?
2
Answers
Use a single user pool only for authentication (logging in). Create identity pools (federated identities) for each team and use custom authentication method for authenticating users against identity pools. Then use identity pool identities for authorization (granting permissions).
https://docs.aws.amazon.com/cognito/latest/developerguide/concepts.html
https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
No code solution
Amplify makes it easy to deploy to multiple environment, e.g. dev, test, prod. You could use that mechanism to deploy each "team" into their own environment. That also gives you a unique URL per team.
The major downside to this approach is that each team would have their own environment (probably their own git branch) so it will be annoying to deploy changes across all teams.
I wouldn’t recommend the above unless you only have 2-3 teams.
Just use groups
Another approach would be to use GROUPS to distinguish teams as well as roles. e.g. add groups for each team: TEAM_xxxx, and roles: ROLE_ADMIN, ROLE_MANAGER, ROLE_EDITOR, ROLE_STAFF. All data is co-located, but you can use group auth to limit visibility of data per team and role.
You can give the site multiple domains. I’m not sure how to enforce each team uses "their" domain, but that shouldn’t matter as they’ll only be able to see/change data for the teams they belong to.
When new users sign up add the domain they used as a cognito custom attribute and check it in an auth hook. If all looks good, add that user to a ‘pending approval’ db table and email that team’s managers. Managers log in see users pending approval and approve/reject them. Users with ROLE_MANAGER can add others to any group they themselves belong to, obviously done server-side.
I’ve done the above for "poor man’s multi-tenant" w/ Amplify and it works quite nicely.
If you can’t tolerate the data shared across teams with only permissions separating it, then you probably want to ditch Amplify and use CDK to deploy the codebase and all resources per-team.