This repository has been archived by the owner on Feb 11, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 149
Custom OpenID Connect Providers
Payton Garland edited this page Dec 10, 2018
·
1 revision
Although cloudfront-auth has an automatic build process for the listed providers, it is likely that users will want to use other providers. As a result, you can manually build the project for an unsupported OpenID Connect provider.
- Create a new directory in the
distributionsdirectory with your desired package name - Copy
package.jsonto your package directory - Copy
authn/openid.index.jsto your package directory asindex.js - Run
npm install - Build the configuration file and save it as
config.jsonin your package directory. Follow the config specifications. - If any extra authorization step is needed, modify the
authz/custom.jsfile accordingly. Regardless of modification, place theauthz/custom.jsfile within your package directory and name itauth.js. Upon modification follow the authorization file specifications. - Zip the following files:
- auth.js
- config.json
- index.js
- node_modules/*
- package-lock.json
- package.json
- Upload the zip to your AWS Lambda function
The configuration file was structured generically such that users can easily modify it without having to change the lambda. Data in the AUTH_REQUEST and TOKEN_REQUEST will be put in the querystring.
{
"AUTH_REQUEST": {
"client_id": "{client_id}",
"response_type": "code",
"scope": "openid email",
"redirect_uri": "{redirect_uri_ending_in_callback_path}"
},
"TOKEN_REQUEST": {
"client_id": "{client_id}",
"client_secret": "{client_secret}",
"redirect_uri": "{redirect_uri_ending_in_callback_path}",
"grant_type": "authorization_code"
},
"DISTRIBUTION": "{custom_provider_name}",
"AUTHN": "{custom_provider_name}",
"PRIVATE_KEY": "{private_key}",
"PUBLIC_KEY": "{public_key}",
"DISCOVERY_DOCUMENT": "{discovery_document_url}",
"SESSION_DURATION": {session_duration_int_in_seconds},
"CALLBACK_PATH": "{callback_path}"
}
Here's an example configuration file for Google
{
"AUTH_REQUEST": {
"client_id": "redacted",
"response_type": "code",
"scope": "openid email",
"redirect_uri": "https://example.com/_callback",
"hd": "gmail.com"
},
"TOKEN_REQUEST": {
"client_id": "redacted",
"client_secret": "redacted",
"redirect_uri": "https://example.com/_callback",
"grant_type": "authorization_code"
},
"DISTRIBUTION": "Google",
"AUTHN": "GOOGLE",
"PRIVATE_KEY": "redacted",
"PUBLIC_KEY": "redacted",
"DISCOVERY_DOCUMENT": "https://accounts.google.com/.well-known/openid-configuration",
"SESSION_DURATION": 10800,
"CALLBACK_PATH": "/_callback",
"HOSTED_DOMAIN": "gmail.com",
"AUTHZ": "1"
}
The authorization file has two main components used by openid.index.js
-
isAuthorized(decoded, request, callback, unauthorized, internalServerError, config)- Responsible for determining if the given user is authorized to access the CloudFront distribution. Should you decide the user is unauthorized, call the
unauthorized(body, callback)function that was passed in. (NOTE: you do not need to validate the JWT in this function, that step is handled for you inopenid.index.js)
- Responsible for determining if the given user is authorized to access the CloudFront distribution. Should you decide the user is unauthorized, call the
-
getSubject(decoded)- Determines which value from the decoded JWT (received from OpenID Connect provider) to be set as the custom JWT subject. We create a new JWT and set it as a cookie for future access to the CloudFront distribution.
function isAuthorized(decoded, request, callback, unauthorized, internalServerError, config) {
callback(null, request);
}
function getSubject(decoded) {
return decoded.payload.email;
}
exports.isAuthorized = isAuthorized;
exports.getSubject = getSubject;