Configure custom identity and group claims

Amplify Data supports using custom identity and group claims if you do not wish to use the default Amazon Cognito-provided cognito:groups or the double-colon-delimited claims, sub::username, from your JWT token. This can be helpful if you are using tokens from a 3rd party OIDC system or if you wish to populate a claim with a list of groups from an external system, such as when using a Pre Token Generation Lambda Trigger which reads from a database.

To use custom claims specify identityClaim or groupClaim as appropriate. In the example below, the identityClaim is specified and the record owner will check against this user_id claim. Similarly, if the user_groups claim contains a "Moderator" string then access will be granted.

1import { a, defineData, type ClientSchema } from "@aws-amplify/backend";
2
3const schema = a.schema({
4  Post: a
5    .model({
6      id: a.id(),
7      owner: a.string(),
8      postname: a.string(),
9      content: a.string(),
10    })
11    .authorization([
12      a.allow.owner().identityClaim("user_id"),
13      a.allow.specificGroups(["Moderator"]).withClaimIn("user_groups"),
14    ]),
15});
16
17export type Schema = ClientSchema<typeof schema>;
18
19export const data = defineData({ schema });