See#104for details about the status of this project.
Google Apps (G Suite),Microsoft Azure AD,GitHub,OKTA,Auth0,Centrifyauthentication forCloudFrontusingLambda@Edge.The original use case forcloudfront-authwas to serve private S3 content over HTTPS without running a proxy server in EC2 to authenticate requests; butcloudfront-authcan be used authenticate requests of any Cloudfront origin configuration.
Upon successful authentication, a cookie (namedTOKEN) with the value of a signed JWT is set and the user redirected back to the originally requested path. Upon each request, Lambda@Edge checks the JWT for validity (signature, expiration date, audience and matching hosted domain) and will redirect the user to configured provider's login when their session has timed out.
If your CloudFront distribution is pointed at a S3 bucket,configure origin access identityso S3 objects can be stored with private permissions. (Origin access identity requires the S3 ACL owner be the account owner. Use ours3-object-owner-monitorLambda function if writing objects across multiple accounts.)
Enable SSL/HTTPS on your CloudFront distribution; AWS Certificate Manager can be used to provision a no-cost certificate.
Session duration is defined as the number of hours that the JWT is valid for. After session expiration, cloudfront-auth will redirect the user to the configured provider to re-authenticate. RSA keys are used to sign and validate the JWT. If the filesid_rsaandid_rsa.pubdo not exist they will be automatically generated by the build. To disable all issued JWTs upload a new ZIP using the Lambda Console after deleting theid_rsaandid_rsa.pubfiles (a new key will be automatically generated).
- Clone or download this repo
- Navigate to your organization'sprofile page,then choose OAuth Apps under Developer settings.
- SelectNew OAuth App
- ForAuthorization callback URLenter your Cloudfront hostname with your preferred path value for the authorization callback. Example:
https://my-cloudfront-site.example /_callback
- Execute
./build.shin the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.- Choose
Githubas the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Session Duration and Organization- cloudfront-auth will check that users are a member of the entered Organization.
- Choose
- Upload the resulting
zipfile found in your distribution folder using the AWS Lambda console and jump to theconfiguration step
- Clone or download this repo
- Go to theCredentialstab of yourGoogle developers console
- Create a new Project
- Create anOAuth Client IDfrom theCreate credentialsmenu
- SelectWeb applicationfor the Application type
- UnderAuthorized redirect URIs,enter your Cloudfront hostname with your preferred path value for the authorization callback. Example:
https://my-cloudfront-site.example /_callback
- Execute
./build.shin the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
Googleas the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Hosted Domain and Session Duration - Select the preferred authentication method
- Hosted Domain (verify email's domain matches that of the given hosted domain)
- JSON Email Lookup
- Enter your JSON Email Lookup URL (example below) that consists of a single JSON array of emails to search through
- Google Groups Lookup
- Upload the resulting
zipfile found in your distribution folder using the AWS Lambda console and jump to theconfiguration step
- Clone or download this repo
- In your Azure portal, go to Azure Active Directory and selectApp registrations
- Create a new application registration with an application type ofWeb app / api
- Once created, go to your application
Settings -> Keysand make a new key with your desired duration. Click save and copy the value. This will be yourclient_secret - Above where you selected
Keys,go toReply URLsand enter your Cloudfront hostname with your preferred path value for the authorization callback. Example:https://my-cloudfront-site.example /_callback
- Execute
./build.shin the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
Microsoftas the authorization method and enter the values forTenant,Client ID (Application ID), Client Secret (previously created key), Redirect URI and Session Duration - Select the preferred authentication method
- Azure AD Membership (default)
- JSON Username Lookup
- Enter your JSON Username Lookup URL (example below) that consists of a single JSON array of usernames to search through
- Upload the resulting
zipfile found in your distribution folder using the AWS Lambda console and jump to theconfiguration step
- Clone or download this repo
- Sign in to OKTA with your administrator account and navigate to the
Applicationstab. - Add Application
- Select the
Webapplication type - Base URI: CloudFront distribution domain name (
https://{cf-endpoint}.cloudfront.net) - Login Redirect URI: CloudFront distribution domain name with callback path (
https://{cf-endpoint}.cloudfront.net/_callback) - Group Assignments: Optional
- Grant Type Allowed: Authorization Code
- Done
- Select the
- Gather the following information for Lambda configuration
- Client Id and Client Secret from the application created in our previous step (can be found at the bottom of the general tab)
- Base Url
- This is named the 'Org URL' and can be found in the top right of the Dashboard tab.
- Execute
./build.shin the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
OKTAas the authorization method and enter the values for Base URL (Org URL), Client ID, Client Secret, Redirect URI, and Session Duration - Upload the resulting
zipfile found in your distribution folder using the AWS Lambda console and jump to theconfiguration step
- Clone or download this repo
- Go to theDashboardof your Auth0 admin page
- ClickNew Application
- SelectRegular Web Appand clickCreate.
- Now select an application type and follow the steps for 'Quick Start' or use your own app.
- Go to applicationSettingsand enter required details. InAllowed Callback URLsenter your Cloudfront hostname with your preferred path value for the authorization callback. Example:
https://my-cloudfront-site.example /_callback
- Execute
./build.shin the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
AUTH0as the authorization method and enter the values for Base URL (Auth0 Domain), Client ID, Client Secret, Redirect URI, and Session Duration - Upload the resulting
zipfile found in your distribution folder using the AWS Lambda console and jump to theconfiguration step
- Clone or download this repo
- Go to theDashboardof your Centrify admin page
- ClickWeb Appsfrom the LHS.
- ClickAdd Web Appand select theCustom Tab.
- Add anOpenID Connectwebapp and clickYesto confirm.
- Fill in naming and logo information and then switch to theTrusttab.
- Enter service provider information. InAuthorized Redirect URIsenter your Cloudfront hostname with your preferred path value for the authorization callback. Example:
https://my-cloudfront-site.example /_callback - Execute
./build.shin the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
CENTRIFYas the authorization method and enter the values for Base URL (Centrify Resource application URL), Client ID, Client Secret, Redirect URI, and Session Duration (which is available from theTokenstab). - Upload the resulting
zipfile found in your distribution folder using the AWS Lambda console and jump to theconfiguration step
- Clone or download this repo
- Sign in to OKTA with your administrator account and navigate to the
Applicationstab. - Add Application
- Select the
Nativeapplication type - Base URI: CloudFront distribution domain name (
https://{cf-endpoint}.cloudfront.net) - Login Redirect URI: CloudFront distribution domain name with callback path (
https://{cf-endpoint}.cloudfront.net/_callback) - Group Assignments: Optional
- Grant Type Allowed: Authorization Code
- Done
- Select the
- Gather the following information for Lambda configuration
- Client Id from the application created in our previous step (can be found at the bottom of the general tab)
- Base Url
- This is named the 'Org URL' and can be found in the top right of the Dashboard tab.
- Execute
./build.shin the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
OKTA Nativeas the authorization method and enter the values for Base URL (Org URL), Client ID, PKCE Code Verifier Length, Redirect URI, and Session Duration - Upload the resulting
zipfile found in your distribution folder using the AWS Lambda console and jump to theconfiguration step
Manual DeploymentorAWS SAM Deployment
-
JSON array of email addresses
[ "foo@gmail", "bar@gmail" ]
Detailed instructions on testing your function can be foundin the Wiki.
All contributions are welcome. Please create an issue in order open up communication with the community.
When implementing a new flow or using an already implemented flow, be sure to follow the same style used inbuild.js.The config.json file should have an object for each request made. For example,openid.index.jsconverts config.AUTH_REQUEST and config.TOKEN_REQUEST to querystrings for simplified requests (after adding dynamic variables such as state or nonce). For implementations that are not generic (most), endpoints are hardcoded in to the config (or discovery documents).
Be considerate of ourlimitations.The zipped function can be no more than 1MB in size and execution cannot take longer than 5 seconds, so we must pay close attention to the size of our dependencies and complexity of operations.