Merge pull request #887 from consideRatio/pr/awscogito-example

docs(awscognito): add custom claims example
2025-12-18 21:54:05 +08:00 · 2023-05-13 20:04:49 +02:00
parent 186ae7171c 8dba109c43
commit 3e2f8cabfd
1 changed files with 17 additions and 0 deletions
--- a/docs/howto/auth/awscognito.md
+++ b/docs/howto/auth/awscognito.md
@@ -126,3 +126,20 @@ For more information on `tljh-config`, see [](/topic/tljh-config).
   Jupyter interface used in this JupyterHub.
 5. **If this does not work** you can revert back to the default
   JupyterHub authenticator by following the steps in [](/howto/auth/firstuse).
+
+## Optionally using custom claims for group mapping
+
+If you use AWS Cognito to federate with an OIDC provider and you want to
+authorize your users based on e.g. their department claim, you have to make sure
+that the custom claim is provided as array.
+
+If it is not provided as array, there is an easy fix. Just add these lines to
+your `awscognito.py`:
+
+```python
+def claim_groups_key_func(user_data_resp_json):
+    return [user_data_resp_json['custom:department']]
+
+c.GenericOAuthenticator.claim_groups_key = claim_groups_key_func
+c.GenericOAuthenticator.allowed_groups = ["AA BB CC", "AA BB DD"]
+```