Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudfront: Allow "Authorization" as a header in Origin Request Policies #28883

Open
2 tasks
WillSmithTE opened this issue Jan 26, 2024 · 1 comment
Open
2 tasks

Cloudfront: Allow "Authorization" as a header in Origin Request Policies #28883

WillSmithTE opened this issue Jan 26, 2024 · 1 comment
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3

Comments

@WillSmithTE
Copy link

Describe the feature

I want the ability to forward the Authorization header to the origin server, without putting it in the cache key. This is the purpose of the Origin Request Policies.

See issue for prior discussion.

Use Case

I have various endpoints which each determine by themselves what they want to cache, and if they want to cache in the CDN or locally.

e.g.

/user/profile takes a user's id from their JWT to provide the right info when a user views their own profile. In this case I need the Authorization to be forwarded to the origin server to serve the right request. I don't want to cache it publicly, so I won't return any cache headers.

/books?genre=fantasy&sort=latest gets the latest fantasy books. In this case I don't need the Authorization header to go to the origin server, it's a public request. However it's an expensive request, so I want to cache it publicly. I want to include the query params in the cache key, but not the Authorization header.

As far as I can see, to do this I would create a cache policy and an origin request policy, as below, but this is not possible because Authorization is not allowed in origin request policies.

resource "aws_cloudfront_cache_policy" "parameters_in_cache_key_and_forwarded_to_origin" {
  name = "parameters_in_cache_key_and_forwarded_to_origin"

  parameters_in_cache_key_and_forwarded_to_origin {
    cookies_config {
      cookie_behavior = "none"
    }
    headers_config {
      header_behavior = "none"
    }
    query_strings_config {
      query_string_behavior = "all"
    }
  }
}

resource "aws_cloudfront_origin_request_policy" "parameters_only_to_origin_not_in_cache_key" {
  name = "example-origin-request-policy"

  headers_config {
    header_behavior = "whitelist"
    headers {
      items = ["Authorization"]
    }
  }

  cookies_config {
    cookie_behavior = "none"
  }

  query_strings_config {
    query_string_behavior = "all"
  }
}

Proposed Solution

Allow Authorization as a header in origin request policies

Other Information

Right now my workaround is using a separate cache behaviour with a path pattern, and adding public to any api path which is public, and not forwarding Authorization there to either the origin server or the cache key. I would much rather have this logic live inside my app server than my CDN config.

I don't ever need Authorization to be included in a cache key, there are too many users for that to be useful and I'll just use the browser cache instead.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

Not relevant

Environment details (OS name and version, etc.)

Not relevant
@WillSmithTE WillSmithTE added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Jan 26, 2024
@pahud
Copy link
Contributor

pahud commented Jan 29, 2024

Thank you for the feature request and we look forward to any pull requests from the community.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 29, 2024
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @WillSmithTE