What is the best practice to restrict the sign in / access for a specific client via the hosted UI (SSO)?

I want to deny sign in to client A, but not client B, based on DynamoDB items. I implemented it in the following way:

Check the permission and throw an error in the pre-authentication lambda.
Check the permission and throw an error in the pre-token-generation lambda so that no token is issued if the user is already authenticated. This is necessary because of single sign on. (The pre-authentication lambda is not triggered in this case.) This feels like a hacky solution and I did not find any references for this approach in the internet.

It works. Is it ok to do it like that? Is there a better approach? For instance, is it possible to define which clients will get an access token for a specific user? The sign in will be used also by desktop clients and we don't want to build in any authorization calls or logic to these clients. We just want to deny the access if the user has no permission.

Themen

Sicherheit, Identität & Konformität

Relevanter Inhalt

Wie behebe ich den Fehler „The new key policy will not allow you to update the key policy in the future“, wenn ich versuche, mit AWS CloudFormation einen AWS-KMS-Schlüssel zu erstellen?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie behebe ich den Fehler „Unable to validate the following destination configurations“ in AWS CloudFormation?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie kann ich den Fehler „Waiting for the slave SQL thread to free enough relay log space“ in Amazon Aurora MySQL beheben?
AWS OFFICIALAktualisiert vor 3 Jahren
Wie behebe ich den Fehler „The specified queue does not exist or you do not have access to it.“, wenn ich einen AWS Glue Job ausführe, um Nachrichten an Amazon SQS in einer anderen Region zu senden?
AWS OFFICIALAktualisiert vor 3 Jahren