From 8dba109c43d842f270351b6e8eb3f304e29feff0 Mon Sep 17 00:00:00 2001
From: Fabian Fischer <nodomain@users.noreply.github.com>
Date: Mon, 27 Feb 2023 06:32:55 +0100
Subject: [PATCH] docs(awscognito): add custom claims example

After struggling with my custom department claim and getting helped in https://discourse.jupyter.org/t/genericauthenticator-with-cognito-how-to-check-for-department-match/18105/1 I wanted to give back to the community.

Rebased by Erik Sundell, originally committed in .rst, now transferred
to .md
---
 docs/howto/auth/awscognito.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/docs/howto/auth/awscognito.md b/docs/howto/auth/awscognito.md
index ccb8893..bf83116 100644
--- a/docs/howto/auth/awscognito.md
+++ b/docs/howto/auth/awscognito.md
@@ -126,3 +126,20 @@ For more information on `tljh-config`, see [](/topic/tljh-config).
    Jupyter interface used in this JupyterHub.
 5. **If this does not work** you can revert back to the default
    JupyterHub authenticator by following the steps in [](/howto/auth/firstuse).
+
+## Optionally using custom claims for group mapping
+
+If you use AWS Cognito to federate with an OIDC provider and you want to
+authorize your users based on e.g. their department claim, you have to make sure
+that the custom claim is provided as array.
+
+If it is not provided as array, there is an easy fix. Just add these lines to
+your `awscognito.py`:
+
+```python
+def claim_groups_key_func(user_data_resp_json):
+    return [user_data_resp_json['custom:department']]
+
+c.GenericOAuthenticator.claim_groups_key = claim_groups_key_func
+c.GenericOAuthenticator.allowed_groups = ["AA BB CC", "AA BB DD"]
+```