An AWS CloudFront Lambda@Edge function to authenticate requests using Google Apps, Microsoft, Auth0, OKTA, and GitHub login
See https://github.com/Widen/cloudfront-auth/issues/104 for details about the status of this project.
Google Apps (G Suite), Microsoft Azure AD, GitHub, OKTA, Auth0, Centrify authentication for CloudFront using Lambda@Edge. The original use case for cloudfront-auth
was to serve private S3 content over HTTPS without running a proxy server in EC2 to authenticate requests; but cloudfront-auth
can be used authenticate requests of any Cloudfront origin configuration.
Upon successful authentication, a cookie (named TOKEN
) with the value of a signed JWT is set and the user redirected back to the originally requested path. Upon each request, Lambda@Edge checks the JWT for validity (signature, expiration date, audience and matching hosted domain) and will redirect the user to configured provider's login when their session has timed out.
If your CloudFront distribution is pointed at a S3 bucket, configure origin access identity so S3 objects can be stored with private permissions. (Origin access identity requires the S3 ACL owner be the account owner. Use our s3-object-owner-monitor Lambda function if writing objects across multiple accounts.)
Enable SSL/HTTPS on your CloudFront distribution; AWS Certificate Manager can be used to provision a no-cost certificate.
Session duration is defined as the number of hours that the JWT is valid for. After session expiration, cloudfront-auth will redirect the user to the configured provider to re-authenticate. RSA keys are used to sign and validate the JWT. If the files id_rsa
and id_rsa.pub
do not exist they will be automatically generated by the build. To disable all issued JWTs upload a new ZIP using the Lambda Console after deleting the id_rsa
and id_rsa.pub
files (a new key will be automatically generated).
https://my-cloudfront-site.example.com/_callback
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
Github
as the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Session Duration and Organization
zip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
https://my-cloudfront-site.example.com/_callback
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.Google
as the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Hosted Domain and Session Durationzip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
Settings -> Keys
and make a new key with your desired duration. Click save and copy the value. This will be your client_secret
Keys
, go to Reply URLs
and enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: https://my-cloudfront-site.example.com/_callback
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.Microsoft
as the authorization method and enter the values for Tenant, Client ID (Application ID), Client Secret (previously created key), Redirect URI and Session Durationzip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
Applications
tab.Web
application typehttps://{cf-endpoint}.cloudfront.net
)https://{cf-endpoint}.cloudfront.net/_callback
)./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.OKTA
as the authorization method and enter the values for Base URL (Org URL), Client ID, Client Secret, Redirect URI, and Session Durationzip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
https://my-cloudfront-site.example.com/_callback
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.AUTH0
as the authorization method and enter the values for Base URL (Auth0 Domain), Client ID, Client Secret, Redirect URI, and Session Durationzip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
https://my-cloudfront-site.example.com/_callback
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.CENTRIFY
as the authorization method and enter the values for Base URL (Centrify Resource application URL), Client ID, Client Secret, Redirect URI, and Session Duration (which is available from the Tokens tab).zip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
Applications
tab.Native
application typehttps://{cf-endpoint}.cloudfront.net
)https://{cf-endpoint}.cloudfront.net/_callback
)./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.OKTA Native
as the authorization method and enter the values for Base URL (Org URL), Client ID, PKCE Code Verifier Length, Redirect URI, and Session Durationzip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
Manual Deployment or AWS SAM Deployment
JSON array of email addresses
[ "[email protected]", "[email protected]" ]
Detailed instructions on testing your function can be found in the Wiki.
All contributions are welcome. Please create an issue in order open up communication with the community.
When implementing a new flow or using an already implemented flow, be sure to follow the same style used in build.js
. The config.json file should have an object for each request made. For example, openid.index.js
converts config.AUTH_REQUEST and config.TOKEN_REQUEST to querystrings for simplified requests (after adding dynamic variables such as state or nonce). For implementations that are not generic (most), endpoints are hardcoded in to the config (or discovery documents).
Be considerate of our limitations. The zipped function can be no more than 1MB in size and execution cannot take longer than 5 seconds, so we must pay close attention to the size of our dependencies and complexity of operations.