Add support for the customRoleArn (#1125) #7631
Conversation
The application can specify the role to assume, which will override/bypass the configured logic in the Identity Pool. https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users
Codecov Report
@@ Coverage Diff @@
## main #7631 +/- ##
==========================================
- Coverage 74.07% 74.06% -0.02%
==========================================
Files 214 214
Lines 13410 13414 +4
Branches 2628 2631 +3
==========================================
+ Hits 9934 9935 +1
- Misses 3277 3280 +3
Partials 199 199
Continue to review full report at Codecov.
|
|
Hi @elorzafe, Could you please review and merge this PR. As our development work is dependent on this feature. |
siegerts
added
the
first-time-contributor
|
Hello @elorzafe @sammartinez @ashika01 would it be possible to consider this PR? |
|
Hi @elorzafe, Could you please review and merge this PR? It would resolve an open AWS support ticket that we have. |
|
Apologies for not looking into this issue until now. I will be looking the security implications of this. |
|
Thanks for this PR, I am reviewing it now. (Apologies for taking that long) I have a question for this change, what about the option of using Pre token generation lambda trigger to modify the token groups based on client Metadata? I am not closed to merge this, just trying to understand more why you prefer to do this on the client instead of a lambda? |
|
Hi @elorzafe , It's been a while since I looked into this, From what I recall there are two scenarios;
For the client side I described some scenarios in my opening comment. On the flip side, there doesn't seem too much demand/support for this. I also think Identity pools are simply not used that much anymore. Especially since you can do third-party signins with the user pool as well. |
|
Thanks for replying so quickly! I understand that you would like to use features that the underlying AWS SDK has, we could provide an escape hatch to support this feature in the future. But I am not convinced we should make it part as a core feature on the category itself. Do you have experience working with other AuthN providers on how they solve this issues? Thanks again! |
|
in our application this functionality would be very important, thanks |
manueliglesias
force-pushed
the
main
branch
from
5b68474
to
66bfe31
Compare
Fixes: #1125
Description of changes:
The application can specify the role to assume, which will override/bypass the configured logic in the Identity Pool.
https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users
A customRoleArn property has been added to the Auth configuration object
This property is a function so that applications can first evaluate the ID token before making a role selection (e.g. lookup the available roles in the
cognito:rolesattribute).Another use case might be that an application contains multiple security zones (e.g. www.enterprise.com/public and www.enterprise.com/private). The role to assume is defined based on the zone the user is in.
Another similar use case might be a splash screen that allows you to login into different accounts. For this the role to assume also needs to be dynamically calculated.
All calls to GetCredentialsForIdentity have been updated
If the property is provided, the function will be evaluated when the request for credentials is made.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.