Configure custom identity and group claims
Amplify Data supports using custom identity and group claims if you do not wish to use the default Amazon Cognito-provided cognito:groups or the double-colon-delimited claims, sub::username, from your JWT token. This can be helpful if you are using tokens from a 3rd party OIDC system or if you wish to populate a claim with a list of groups from an external system, such as when using a Pre Token Generation Lambda Trigger which reads from a database.
To use custom claims specify identityClaim or groupClaim as appropriate. In the example below, the identityClaim is specified and the record owner will check against this user_id claim. Similarly, if the user_groups claim contains a "Moderator" string then access will be granted.
import { a, defineData, type ClientSchema } from '@aws-amplify/backend';
const schema = a.schema({ Post: a .model({ id: a.id(), owner: a.string(), postname: a.string(), content: a.string(), }) .authorization(allow => [ allow.owner().identityClaim('user_id'), allow.groups(['Moderator']).withClaimIn('user_groups'), ]),});
export type Schema = ClientSchema<typeof schema>;
export const data = defineData({ schema });In your application, you can perform CRUD operations against the model with the userPools auth mode.
try { final todo = Todo(content: 'My new todo'); final request = ModelMutations.create( todo, authorizationMode: APIAuthorizationType.userPools, ); final createdTodo = await Amplify.API.mutations(request: request).response;
if (createdTodo == null) { safePrint('errors: ${response.errors}'); return; } safePrint('Mutation result: ${createdTodo.name}');
} on APIException catch (e) { safePrint('Failed to create todo', e);}