[Suspended]Spike: explore JSON format in cognito:groups

[OlgaLiber2]

Describe the task
Understand the effort and potential roadblocks involved in transitioning to using JSON format for cognito:groups for store fine-grained user attributes.

Acceptance Criteria

• Book a meeting with AWS team to understand the pros and cons of using a json format (invite Michelle D to the meeting)

• Outline the pros and cons of using string format role-clientId-orgUnit or json format

• Outline the tasks involved in transitioning to JSON format if we decided to use it

• Determine whether we are going to continue using string format or move to json format for cognito groups

• Write a follow up implementation ticket

Additional context

• AWS documentation: https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-cognito-user-pools-customize-access-tokens/

[ianliuwk1019]

I am sorry, looking at the wrong chart, don't get a quote from me next time, I double check the pricing: @OlgaLiber2 @basilv @craigyu
The basic pricing:

With Advanced Security Feature on (needed for V2 lambda triggered event, for JSON customized token claim)

• Our production currently has 1191 users (this is might not be the active monthly users, not sure...).
  

• But the production db currently has 1681 rows:

famdb=> select count(*) from app_fam.fam_user;
 count
-------
  1681
(1 row)

• Last month Cognito cost (prod): $4.22
  (So maybe our AWS account has some discount for the plan, or maybe less users last month)

• Our forecast users size is: 10,000
  10,000*$0.0055 + 10,000*$0.05 = $555 (per month, Cognito along)
  monthly bill would be $55 for the base price for active users plus $500 for the advanced security features

• if not 10,000 users are MAU and we have discount then maybe still reasonable for switching to V2 ???

[ianliuwk1019]

Based on my understanding from AWS documentation, only few questions from me (but not really needed to ask AWS support):

• Does terraform support V2_0 configuration?
  => We probably could find out when we do some experiment on Terraform.
  => I saw some issues reported online but they may be old and working now.
  => The worse case, use AWS console to switch without coded int Terraform (currently I don't see this in V1 version coded in code), but that could cause issue after deployment for using V2 (if we don't specify in Terraform), then AWS would switch to default (V1).
• Is V2 backward compatible with V1?
  Other than "event" structure change for the lambda handler, I think it is compatible.
  • Currently it was designed to use "cognito:groups" claim for sticking FAM user's role privileges as a list of strings, I think it was due to V1 does not provide a way to have custom claim in the token, so "cognito:groups" was used instead; (this "cognito:groups" actually exist both on ID token and Access Token).
  • But with V2 opens up possibility to insert "application-specific" claim with more format (like JSON) and only on Access Token, it means to me we can keep previous "cognito:groups" implementation plus a new "application-specific" claim like "fam:roles" both in the access token. And this will solve migration headache for downstream apps when we start using new JOSN claim and when we have new Org Unit implementation.

@basilv @OlgaLiber2 @craigyu

[craigyu]

Org unit won't be needed anytime soon so we'll come back to this later