Configure custom identity and group claims
Amplify Data supports using custom identity and group claims if you do not wish to use the default Amazon Cognito-provided cognito:groups
or the double-colon-delimited claims, sub::username
, from your JWT token. This can be helpful if you are using tokens from a 3rd party OIDC system or if you wish to populate a claim with a list of groups from an external system, such as when using a Pre Token Generation Lambda Trigger which reads from a database.
To use custom claims specify identityClaim
or groupClaim
as appropriate. In the example below, the identityClaim
is specified and the record owner will check against this user_id
claim. Similarly, if the user_groups
claim contains a "Moderator" string then access will be granted.
1import { a, defineData, type ClientSchema } from '@aws-amplify/backend';2
3const schema = a.schema({4 Post: a5 .model({6 id: a.id(),7 owner: a.string(),8 postname: a.string(),9 content: a.string(),10 })11 .authorization(allow => [12 allow.owner().identityClaim('user_id'),13 allow.groups(['Moderator']).withClaimIn('user_groups'),14 ]),15});16
17export type Schema = ClientSchema<typeof schema>;18
19export const data = defineData({ schema });
In your application, you can perform CRUD operations against the model using client.models.<model-name>
with the userPool
auth mode.
1import { generateClient } from 'aws-amplify/data';2import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition3
4const client = generateClient<Schema>();5
6const { errors, data: newTodo } = await client.models.Todo.create(7 {8 postname: 'My New Post'9 content: 'My post content',10 },14);