What is the best practice to restrict the sign in / access for a specific client via the hosted UI (SSO)?

I want to deny sign in to client A, but not client B, based on DynamoDB items. I implemented it in the following way:

Check the permission and throw an error in the pre-authentication lambda.
Check the permission and throw an error in the pre-token-generation lambda so that no token is issued if the user is already authenticated. This is necessary because of single sign on. (The pre-authentication lambda is not triggered in this case.) This feels like a hacky solution and I did not find any references for this approach in the internet.

It works. Is it ok to do it like that? Is there a better approach? For instance, is it possible to define which clients will get an access token for a specific user? The sign in will be used also by desktop clients and we don't want to build in any authorization calls or logic to these clients. We just want to deny the access if the user has no permission.

Argomenti

Sicurezza, identità e conformità

Tag

Amazon Cognito

Lingua

English

Chris

posta 2 mesi fa110 visualizzazioni

Nessuna risposta

Più recenti
Maggior numero di voti
Maggior numero di commenti

Contenuto pertinente

Come posso risolvere l'errore "SMTP server requires a secure connection or the client is not authenticated. The server response was: Authentication required" durante l'invio di una email tramite SES?
AWS UFFICIALEAggiornata un anno fa
Come faccio a correggere l'errore "Unable to validate the following destination configurations" in AWS CloudFormation?
AWS UFFICIALEAggiornata 2 anni fa
Perché ho ricevuto l'errore IAM "AWS was not able to validate the provided access credentials" in alcune regioni AWS?
AWS UFFICIALEAggiornata 2 anni fa
In che modo posso risolvere l'errore "Waiting for the slave SQL thread to free enough relay log space" in Amazon Aurora MySQL?
AWS UFFICIALEAggiornata 3 anni fa