问题
I am considering creating a user pool per tenant based on the recommended multi-tenant architecture (for ex: https://aws.amazon.com/quickstart/saas/identity-with-cognito/)
The rest of the resources in the application are going to be using pooled resources (for ex: API gateway, dynamoDB tables). Considering the silo model just for the Cognito/auth part of the application.
Application requirements:
- Subdomain per tenant i.e. tenant1.company.com an tenant2.company.com
- A user can belong to multiple tenants(Forex: User A can be in
tenant1andtenant2) - Need to be able to list all users for a particular tenant
- Data residency restrictions for personally identifiable information
I believe If I was to use the same Cognito user pool for all tenants, I could force users to use a different email for a new tenant i.e abc@tenant1.com for Tenant1 and abc+tenant2@tenant2.com for Tenant2.
But to list all users for a particular tenant, I imagine the same user pool for all tenants will not work as tenant_id will be a custom attribute.
I could also ensure data residency restrictions by creating a user pool per tenant. However, how do I handle regional failover in this case?
Also, Is subdomain per tenant supported with this approach?
I hear that the user pool per tenant is constant pain and should be avoided. What are some of the pain points?
For my use case, Does it look like that I should opt for an AuthZ provider instead like auth0 or authress?
来源:https://stackoverflow.com/questions/65515499/what-are-the-challenges-with-a-user-pool-per-tenant-in-a-an-aws-multi-tenant-ser