How can I create 2 different type of users using AWS Cognito?

Question

I want to create 2 different of user for example "basicUser" and "admin" using AWS Cognito. At the moment I was able to create the basicUser using AWS Amplify that basically use AWS Cognito under the hood.

In the Documentation of AWS Amplify it is written that I can insert custom attributes in the user object that will be saved on. The AWS Amplify example report:

const user = await Auth.signUp({
            username,
            password,
            attributes: {
                email,          // optional
                phone_number,   // optional - E.164 number convention
                // other custom attributes 
            }
        });

AWS Amplify documentation: https://docs.amplify.aws/lib/auth/emailpassword/q/platform/js#sign-up

Could it be a good solution using an attribute roles that is an array of the roles that a user could have? This will be done code side using the Cognito API referencing this documentation [The owner of the app will be responsable to confirm the "admin request" from the users]:

Update attribute documentation: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html

This approach is it a bad practice and I could do something better or is it a good solution?

Thanks in advance.

Answer 1

If there is an approval system for the users which are being registered by JS side (hopefully running in browser) then, by your question description, this is OK.

However, there is another way. You can use Cognito groups. Whenever, an user is created you should trigger a lambda function to assign the user to group. At cognito trigger section, you can see some triggers to use. Then the protection is totally from server side instead of client.