DEV Community

Cover image for The guide to create (offline) multi tenant apps with Expo and AWS Amplify

The guide to create (offline) multi tenant apps with Expo and AWS Amplify

rpostulart on November 04, 2020

Cover photo by David Watkis on Unsplash Multi tenant A tenant is a group of users which have the same access rights. With multi tenant ...
Collapse
 
devtghosh profile image
Devjyoti Ghosh

Hey is there a way I could share access for a model with users outside the tenant? My use case would be a user group that can have access to models from various tenants. For eg in asana a user can be added to various different companies projects.

Collapse
 
rpostulart profile image
rpostulart

I believe it should be possible, but then you need to add multiple tenantid's to cognito userattribute. For example an array or string with commas as seperators. In your application you can to the validation

Collapse
 
devtghosh profile image
Devjyoti Ghosh • Edited

I don't think this works exactly. Because user needs to have access to specific projects within a company. With multiple tenant ids 2 users within the same user group will have access to all projects within the tenant that is shared to the user group. See the image for an example of what is needed. dev-to-uploads.s3.amazonaws.com/i/...

Thread Thread
 
rpostulart profile image
rpostulart

You can use the user attribute (tenant) in combination with cognito groups (projects) or create multiple user attributes

Thread Thread
 
devtghosh profile image
Devjyoti Ghosh • Edited

I don't think that works because you can only have 500 cognito user groups and users will need to have access to specific projects so each project's access will need their own cognito group I think. I have updated the user access diagram maybe that will make it more clear user access pattern diagram

There can also be a user 3 in above diagram that is a freelancer in both Company 1 & 2 and has access to only project A & C

Thread Thread
 
jcastaneyra profile image
Jose Castaneyra

The number of Cognito groups now is 10,000.

And a user can belong to 100 groups.

docs.aws.amazon.com/cognito/latest...

Collapse
 
yudhiesh1997 profile image
Yudhiesh Ravindranath

I am having an issue when using the mobile application, I cannot seem to login to the accounts I created. It just says I need to "Validate that amazon-cognito-identity-js has been linked". I cannot seem to find anywhere how to solve this.

Collapse
 
devtghosh profile image
Devjyoti Ghosh

The users show up on cognito console?

Collapse
 
rpostulart profile image
rpostulart

Looks like a framework error, have you created an issue on github ?

Collapse
 
yudhiesh1997 profile image
Yudhiesh Ravindranath

It is weird because yesterday I had other issues and was able to sign in but now when I redid the whole project this is an issue.

Thread Thread
 
yudhiesh1997 profile image
Yudhiesh Ravindranath • Edited

Another issue is that when I try to sign in from AppSync in the AWS Console through User Pools I have to create a new password for the user but when I do it is saying that "email is missing" even though it is only asking for the password.

Collapse
 
devtghosh profile image
Devjyoti Ghosh

Hey thanks for the great article. I had a question how would the dataflow work when creating users within groups from the frontend with amplify. Is there a way I can mention the tenantid and CognitoUserPoolID that a user belongs to?

Collapse
 
rpostulart profile image
rpostulart

Of course you can. You can update the user attributes. It is explained here: docs.amplify.aws/lib/auth/manageus...

The userpool is configured with amplify

Collapse
 
devtghosh profile image
Devjyoti Ghosh

How would you get a company's tenant id though while signing up a user to the editors group for ex? My imagining is the main company Admin/Tenant signs up and then to add users to his organization they adds their email address and it temporarily signsup the user with the relevant tenant id & group details & sends an email to the users containing their userid and temporary password that they need to change. Kind of like how IAM works.

Thread Thread
 
rpostulart profile image
rpostulart

Indeed, that is how I would do it.

Collapse
 
ricobanga profile image
Henry de la Martinière • Edited

This is great ! avoiding @auth owner to filter rows allows to keep subscription working properly. But if a tenant id goes public, you'll have a security issue