What is the best practice to restrict the sign in / access for a specific client via the hosted UI (SSO)?

I want to deny sign in to client A, but not client B, based on DynamoDB items. I implemented it in the following way:

Check the permission and throw an error in the pre-authentication lambda.
Check the permission and throw an error in the pre-token-generation lambda so that no token is issued if the user is already authenticated. This is necessary because of single sign on. (The pre-authentication lambda is not triggered in this case.) This feels like a hacky solution and I did not find any references for this approach in the internet.

It works. Is it ok to do it like that? Is there a better approach? For instance, is it possible to define which clients will get an access token for a specific user? The sign in will be used also by desktop clients and we don't want to build in any authorization calls or logic to these clients. We just want to deny the access if the user has no permission.

Tópicos

Segurança, identidade e conformidade

Conteúdo relevante

How do I connect to my WorkSpace with RDP?
AWS OFICIALAtualizada há 2 anos
Como resolvo o erro “SMTP server requires a secure connection or the client is not authenticated The server response was: Authentication required” (O servidor SMTP requer uma conexão segura ou o cliente não está autenticado. A resposta do servidor foi: autenticação necessária) ao enviar um e-mail pelo SES?
AWS OFICIALAtualizada há um ano
Como soluciono erros “Unable to verify secret hash for client<client-id>” da minha API de grupos de usuários do Amazon Cognito?
AWS OFICIALAtualizada há 3 anos
Por que recebi o erro de IAM “AWS was not able to validate the provided access credentials” (A AWS não pôde validar as credenciais de acesso fornecidas) em algumas regiões da AWS?
AWS OFICIALAtualizada há 2 anos