Hey Everyone, need some help regarding design. I am building an app which will use cognito for signup/login and amplify to handle auth with in the app. I am exclusively using dynamodb so i have to think about ways to reduce db read/write. one of the info that i need on every request is username (so that i don't have to read it based on user id), department id and department name. How can i inject this info in each request and keep it encrypted from user? One way i was thinking that perhaps i can inject custom token once a user is authenticated. With each request, this token will be sent to the backend and backend can extract info out of it. Now the questions 1. Is my proposed approach a good approach or are there any better options 2. If my proposed approach is good, then how to implement this? should there be a lambda which would trigger post "auth"? how can this lambda inject info into auth success response? 3. Where to store encryption key?

Is there a reason you want to keep the department id and department name encrypted from the user? This rules out JWT auth through cognito

You can encrypt JWTs so that the claims are hidden - don’t think Cognito supports that though, so you’d need to build something custom around it

^ Agreed. While I see the temptation to load things into the auth token so you have values ready to go, it can be tricky when these values update and making sure that stays synced everywhere

@thdxr: department id/name is an example. the information that i need, i don't want user (or hacker) be able to modify that info since that info define what view is visible to the user i.e., finance department should only be able to see posts from finance department.

JWT are signed so that even though the info is visible, it can’t be changed

Man....I really hate cognito

Yeah I like auth0 a lot better - but their pricing for API Client use cases was crazy. So I ended up using both - auth0 for humans, cognito for API clients.

It’s surprising to me that given how much people use Cognito, it’s still quite bad.

I'm using it because I'm following the rule of always use an AWS service even if it's worse than something external to reduce the amount of glue I need to build

We just went through the process of defining an implementing our Auth. The biggest problem with cognito is that you have 100 ways to do 100 different things and AWS are not really prescriptive in telling you the best way to do it. @Muhammad Ali - if you're using cognito/amplify/ddb you shouldn't need to do any token manipulation to get this to work. Also keeping this info 'encrypted' from the user is not a security best practice - if you're going about trying to hide something from the user you are more likely going to implement vulnerabilities that can be exploited. As @thdxr and @Omi Chowdhury said, the best way to do this is keep it server side. I think what you are looking for can be achieved with this - https://docs.amplify.aws/cli/graphql-transformer/auth/#dynamic-group-authorization and then let aws handle your AuthN/Z