Multi-tenant (organisation) support for GQL APIs

[trunham]

Is your feature request related to a problem? Please describe.
I've set up a prototype API for a SaaS product that involves having multiple organisations. To move forward we need to ensure that an organisations data is protected from other organisations being able to access it both in the Frontend and through the APIs.

The frontend is straight-forward enough, API we're not sure how best to proceed. We know we can create custom resolvers but we'd lose some of the nice automation Amplify provides.

We could create a "middleware" REST API to handle all requests and ensure the user is part of the tenant or organisation that the data requested belongs to. If successful we can then forward it to the GQL APIs through the App Sync SDK, otherwise we could return 401. This solution would allow us to keep the automation but would add additional processing time and cost to each request.

Before moving ahead with one of these options, it'd be great to know:

1. If there is a better solution we're missing?
2. If there's a plan to implement a way of doing this that's native to Amplify so we could hold off for now?
3. If there might be any problems with our current options?

Describe the solution you'd like
Ideally, it'd be great to see this as part of the @auth directive. We can restrict the entire model to certain Cognito groups, but if we could restrict the response data based on a custom Cognito field that is mapped to a model field that would be perfect.

For Example:

Within cognito we have a custom:tenantID field. Then within the GQL schema we can have:

type Project
@model
@auth(rules: [
  { allow: groups, groups: ["Admins", "Users"] },
  { allow: tenants, fields: ["custom:tenantID", "tenantID"] }, # map cognito field to our GQL field
]) {
  id: ID!
  title: String!
  description: String

  # Connections
  tenantID: ID!
  tenant: Tenant @connection(fields: ["tenantID"]) # Another GQL model for the tenant the user is a part of
}

Describe alternatives you've considered
I've thought about rather than custom fields, the user pools within Cognito could have a permanent tenant field removing the need for the custom mapping ("custom:tenantID" -> "tenantID"). However, not sure if that would raise internal complications having to make changes to both the Amplify and the Cognito services.

For example:

type Project
@model
@auth(rules: [
  { allow: groups, groups: ["Admins", "Users"] },
  { allow: tenants, fields: ["tenantID"] }, # amplify would map this GQL field to a dedicated cognito field automatically
]) {
  id: ID!
  title: String!
  description: String

  # Connections
  tenantID: ID!
  tenant: Tenant @connection(fields: ["tenantID"])
}

Additional Context
Amplify has been fantastic to work with. It's been amazing getting the prototype up and running so quickly and it'd be great to move forward with it!

[octaneC8H18]

I am also trying to implement something similar and came accross these feature requests. spent weeks looking for a proper solution. It seems this might not get implemented soon. #449 and #455

[paulsson]

@trunham @octaneC8H18 I posted a detailed solution with schema and code examples for multi-tenant auth support here:
#449

[josefaidt]

closing as a duplicate of #449