diff --git a/README.md b/README.md index 4813222..15a9466 100644 --- a/README.md +++ b/README.md @@ -111,14 +111,14 @@ Next you need to decide if you'd like to deploy with lambda/API Gateway (follow - Configure the OIDC integration in AWS console for Cognito (described below, but following [these instructions](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html)). The following settings are required: - Client ID: The GitHub Client ID above - Authorize scope: `openid read:user user:email` - - Issuer: either `https:///Prod` (for lambda with API gateway, replace `Prod` with the correct stage name) or `https:///` (for the node server). + - Issuer: `https:///${Stage_Name}` or `https:///` (for the node server). - If you have deployed the web app: Run discovery (big blue button next to Issuer). - If you have deployed the lambda/Gateway: For some reason, Cognito is unable to do OpenID Discovery. You will need to configure the endpoints manually. They are: - - Authorization endpoint: `https:///Prod/authorize` - - Token endpoint: `https:///Prod/token` - - Userinfo endpoint: `https:///Prod/userinfo` - - JWKS uri: `https:///Prod/.well-known/jwks.json` + - Authorization endpoint: `https:///${Stage_Name}/authorize` + - Token endpoint: `https:///${Stage_Name}/token` + - Userinfo endpoint: `https:///${Stage_Name}/userinfo` + - JWKS uri: `https:///${Stage_Name}/.well-known/jwks.json` - Configure the Attribute Mapping in the AWS console: ![Attribute mapping](docs/attribute-mapping.png) @@ -222,7 +222,7 @@ You can compare this workflow to the documented Cognito workflow [here](https:// - `scripts/create-key.sh`: If the private key is missing, generate a new one. This is run as a preinstall script before `npm install` - `scripts/deploy.sh`: This is the deploy part of `npm run deploy`. It uploads - the dist folder to S3, and then creates the cloudformation stack that contains + the dist folder to S3, and then creates the cloudformation stack that contains the API gateway and lambdas #### Tests diff --git a/scripts/deploy.sh b/scripts/deploy.sh index f0f7c6c..5a69e3a 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -21,4 +21,4 @@ source ./config.sh OUTPUT_TEMPLATE_FILE="$PROJECT_ROOT/serverless-output.yml" aws s3 mb "s3://$BUCKET_NAME" --region "$REGION" || true sam package --template-file template.yml --output-template-file "$OUTPUT_TEMPLATE_FILE" --s3-bucket "$BUCKET_NAME" -sam deploy --region "$REGION" --template-file "$OUTPUT_TEMPLATE_FILE" --stack-name "$STACK_NAME" --parameter-overrides GitHubClientIdParameter="$GITHUB_CLIENT_ID" GitHubClientSecretParameter="$GITHUB_CLIENT_SECRET" CognitoRedirectUriParameter="$COGNITO_REDIRECT_URI" --capabilities CAPABILITY_IAM +sam deploy --region "$REGION" --template-file "$OUTPUT_TEMPLATE_FILE" --stack-name "$STACK_NAME" --parameter-overrides GitHubClientIdParameter="$GITHUB_CLIENT_ID" GitHubClientSecretParameter="$GITHUB_CLIENT_SECRET" CognitoRedirectUriParameter="$COGNITO_REDIRECT_URI" StageNameParameter="$STAGE_NAME" --capabilities CAPABILITY_IAM diff --git a/src/connectors/lambda/util/auth.js b/src/connectors/lambda/util/auth.js index 27c20e3..883b7b6 100644 --- a/src/connectors/lambda/util/auth.js +++ b/src/connectors/lambda/util/auth.js @@ -37,7 +37,7 @@ module.exports = { }), getIssuer: (host, stage) => { - const lStage = stage || 'Prod'; + const lStage = stage; const issuer = `${host}/${lStage}`; return issuer; } diff --git a/template.yml b/template.yml index 3a49d05..9ba05d8 100644 --- a/template.yml +++ b/template.yml @@ -1,25 +1,25 @@ AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > - ./rego-api-identity-proxy + Github Cognito OpenID Wrapper (SSO) # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst Globals: - Function: - Runtime: nodejs8.10 - Timeout: 15 - Environment: - Variables: - GITHUB_CLIENT_ID: - Ref: GitHubClientIdParameter - GITHUB_CLIENT_SECRET: - Ref: GitHubClientSecretParameter - COGNITO_REDIRECT_URI: - Ref: CognitoRedirectUriParameter - GITHUB_API_URL: - Ref: GitHubUrlParameter - GITHUB_LOGIN_URL: - Ref: GitHubLoginUrlParameter + Function: + Runtime: nodejs10 + Timeout: 15 + Environment: + Variables: + GITHUB_CLIENT_ID: + Ref: GitHubClientIdParameter + GITHUB_CLIENT_SECRET: + Ref: GitHubClientSecretParameter + COGNITO_REDIRECT_URI: + Ref: CognitoRedirectUriParameter + GITHUB_API_URL: + Ref: GitHubUrlParameter + GITHUB_LOGIN_URL: + Ref: GitHubLoginUrlParameter Parameters: GitHubClientIdParameter: @@ -36,8 +36,15 @@ Parameters: Type: String Default: "https://github.com" MinLength: 1 + StageNameParameter: + Type: String Resources: + GithubOAuthApi: + Type: AWS::Serverless::Api + Properties: + StageName: !Ref StageNameParameter + OpenApiVersion: "2.0" OpenIdDiscovery: Type: AWS::Serverless::Function Properties: @@ -49,6 +56,7 @@ Resources: Properties: Path: /.well-known/openid-configuration Method: get + RestApiId: !Ref GithubOAuthApi Authorize: Type: AWS::Serverless::Function Properties: @@ -60,6 +68,7 @@ Resources: Properties: Path: /authorize Method: get + RestApiId: !Ref GithubOAuthApi Token: Type: AWS::Serverless::Function Properties: @@ -71,11 +80,13 @@ Resources: Properties: Path: /token Method: get + RestApiId: !Ref GithubOAuthApi PostResource: Type: Api Properties: Path: /token Method: post + RestApiId: !Ref GithubOAuthApi UserInfo: Type: AWS::Serverless::Function Properties: @@ -87,11 +98,13 @@ Resources: Properties: Path: /userinfo Method: get + RestApiId: !Ref GithubOAuthApi PostResource: Type: Api Properties: Path: /userinfo Method: post + RestApiId: !Ref GithubOAuthApi Jwks: Type: AWS::Serverless::Function Properties: @@ -103,8 +116,9 @@ Resources: Properties: Path: /.well-known/jwks.json Method: get + RestApiId: !Ref GithubOAuthApi Outputs: GitHubShimIssuer: Description: "GitHub OpenID Shim Issuer" - Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod" + Value: !Sub "https://${GithubOAuthApi}.execute-api.${AWS::Region}.amazonaws.com/${StageNameParameter}"