Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Page updated Jun 19, 2024

Configure custom identity and group claims

Amplify Data supports using custom identity and group claims if you do not wish to use the default Amazon Cognito-provided cognito:groups or the double-colon-delimited claims, sub::username, from your JWT token. This can be helpful if you are using tokens from a 3rd party OIDC system or if you wish to populate a claim with a list of groups from an external system, such as when using a Pre Token Generation Lambda Trigger which reads from a database.

To use custom claims specify identityClaim or groupClaim as appropriate. In the example below, the identityClaim is specified and the record owner will check against this user_id claim. Similarly, if the user_groups claim contains a "Moderator" string then access will be granted.

amplify/data/resource.ts
import { a, defineData, type ClientSchema } from '@aws-amplify/backend';
const schema = a.schema({
Post: a
.model({
id: a.id(),
owner: a.string(),
postname: a.string(),
content: a.string(),
})
.authorization(allow => [
allow.owner().identityClaim('user_id'),
allow.groups(['Moderator']).withClaimIn('user_groups'),
]),
});
export type Schema = ClientSchema<typeof schema>;
export const data = defineData({ schema });

In your application, you can perform CRUD operations against the model using client.models.<model-name> with the userPool auth mode.

import { generateClient } from 'aws-amplify/data';
import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition
const client = generateClient<Schema>();
const { errors, data: newTodo } = await client.models.Todo.create(
{
postname: 'My New Post'
content: 'My post content',
},
{
authMode: 'userPool',
}
);