I'm trying to identify if the authenticated user is admin or not, by checking if it belongs to a specific group.
I'm using amplify in my React application and tried several methods, such as Auth.currentUserInfo(), Auth.currentAuthenticatedUser() and also getting the jwt token to see if somehow it's returned in the token, but I didn't find any information regarding that.
I saw some people saying that exists a payload cognito:groups in the token here, but that may be changed, because in my returned token it does not exists.
Another thing that I thought would work is the scope that comes in the jwt (aws.cognito.signin.user.admin), but it seems that every created user using amplify is returning this scope.
Is it possible to check if an authenticated user belongs to a group or if it's an admin user from cognito?
You can get the user groups from the session. It is in user.signInUserSession.accessToken.payload["cognito:groups"] which will contain an array of all groups for the user.
Here is a short example:
import { Auth } from 'aws-amplify';
const user = await Auth.currentAuthenticatedUser();
// the array of groups that the user belongs to
user.signInUserSession.accessToken.payload["cognito:groups"]