Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

better support for stages #28

Merged
merged 3 commits into from
Jan 10, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -111,14 +111,14 @@ Next you need to decide if you'd like to deploy with lambda/API Gateway (follow
- Configure the OIDC integration in AWS console for Cognito (described below, but following [these instructions](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html)). The following settings are required:
- Client ID: The GitHub Client ID above
- Authorize scope: `openid read:user user:email`
- Issuer: either `https://<Your API Gateway DNS name>/Prod` (for lambda with API gateway, replace `Prod` with the correct stage name) or `https://<your webserver>/` (for the node server).
- Issuer: `https://<Your API Gateway DNS name>/${Stage_Name}` or `https://<your webserver>/` (for the node server).
- If you have deployed the web app: Run discovery (big blue button next to Issuer).
- If you have deployed the lambda/Gateway: For some reason, Cognito is unable to
do OpenID Discovery. You will need to configure the endpoints manually. They are:
- Authorization endpoint: `https://<Your API Gateway DNS name>/Prod/authorize`
- Token endpoint: `https://<Your API Gateway DNS name>/Prod/token`
- Userinfo endpoint: `https://<Your API Gateway DNS name>/Prod/userinfo`
- JWKS uri: `https://<Your API Gateway DNS name>/Prod/.well-known/jwks.json`
- Authorization endpoint: `https://<Your API Gateway DNS name>/${Stage_Name}/authorize`
- Token endpoint: `https://<Your API Gateway DNS name>/${Stage_Name}/token`
- Userinfo endpoint: `https://<Your API Gateway DNS name>/${Stage_Name}/userinfo`
- JWKS uri: `https://<Your API Gateway DNS name>/${Stage_Name}/.well-known/jwks.json`
- Configure the Attribute Mapping in the AWS console:

![Attribute mapping](docs/attribute-mapping.png)
Expand Down Expand Up @@ -222,7 +222,7 @@ You can compare this workflow to the documented Cognito workflow [here](https://
- `scripts/create-key.sh`: If the private key is missing, generate a new one.
This is run as a preinstall script before `npm install`
- `scripts/deploy.sh`: This is the deploy part of `npm run deploy`. It uploads
the dist folder to S3, and then creates the cloudformation stack that contains
the dist folder to S3, and then creates the cloudformation stack that contains
the API gateway and lambdas

#### Tests
Expand Down
2 changes: 1 addition & 1 deletion scripts/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ source ./config.sh
OUTPUT_TEMPLATE_FILE="$PROJECT_ROOT/serverless-output.yml"
aws s3 mb "s3://$BUCKET_NAME" --region "$REGION" || true
sam package --template-file template.yml --output-template-file "$OUTPUT_TEMPLATE_FILE" --s3-bucket "$BUCKET_NAME"
sam deploy --region "$REGION" --template-file "$OUTPUT_TEMPLATE_FILE" --stack-name "$STACK_NAME" --parameter-overrides GitHubClientIdParameter="$GITHUB_CLIENT_ID" GitHubClientSecretParameter="$GITHUB_CLIENT_SECRET" CognitoRedirectUriParameter="$COGNITO_REDIRECT_URI" --capabilities CAPABILITY_IAM
sam deploy --region "$REGION" --template-file "$OUTPUT_TEMPLATE_FILE" --stack-name "$STACK_NAME" --parameter-overrides GitHubClientIdParameter="$GITHUB_CLIENT_ID" GitHubClientSecretParameter="$GITHUB_CLIENT_SECRET" CognitoRedirectUriParameter="$COGNITO_REDIRECT_URI" StageNameParameter="$STAGE_NAME" --capabilities CAPABILITY_IAM
2 changes: 1 addition & 1 deletion src/connectors/lambda/util/auth.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ module.exports = {
}),

getIssuer: (host, stage) => {
const lStage = stage || 'Prod';
const lStage = stage;
const issuer = `${host}/${lStage}`;
return issuer;
}
Expand Down
48 changes: 31 additions & 17 deletions template.yml
Original file line number Diff line number Diff line change
@@ -1,25 +1,25 @@
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
./rego-api-identity-proxy
Github Cognito OpenID Wrapper (SSO)

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Runtime: nodejs8.10
Timeout: 15
Environment:
Variables:
GITHUB_CLIENT_ID:
Ref: GitHubClientIdParameter
GITHUB_CLIENT_SECRET:
Ref: GitHubClientSecretParameter
COGNITO_REDIRECT_URI:
Ref: CognitoRedirectUriParameter
GITHUB_API_URL:
Ref: GitHubUrlParameter
GITHUB_LOGIN_URL:
Ref: GitHubLoginUrlParameter
Function:
Runtime: nodejs10
Timeout: 15
Environment:
Variables:
GITHUB_CLIENT_ID:
Ref: GitHubClientIdParameter
GITHUB_CLIENT_SECRET:
Ref: GitHubClientSecretParameter
COGNITO_REDIRECT_URI:
Ref: CognitoRedirectUriParameter
GITHUB_API_URL:
Ref: GitHubUrlParameter
GITHUB_LOGIN_URL:
Ref: GitHubLoginUrlParameter

Parameters:
GitHubClientIdParameter:
Expand All @@ -36,8 +36,15 @@ Parameters:
Type: String
Default: "https://github.com"
MinLength: 1
StageNameParameter:
Type: String

Resources:
GithubOAuthApi:
Type: AWS::Serverless::Api
Properties:
StageName: !Ref StageNameParameter
OpenApiVersion: "2.0"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needed to get around the sam stage bug: aws/serverless-application-model#191

OpenIdDiscovery:
Type: AWS::Serverless::Function
Properties:
Expand All @@ -49,6 +56,7 @@ Resources:
Properties:
Path: /.well-known/openid-configuration
Method: get
RestApiId: !Ref GithubOAuthApi
Authorize:
Type: AWS::Serverless::Function
Properties:
Expand All @@ -60,6 +68,7 @@ Resources:
Properties:
Path: /authorize
Method: get
RestApiId: !Ref GithubOAuthApi
Token:
Type: AWS::Serverless::Function
Properties:
Expand All @@ -71,11 +80,13 @@ Resources:
Properties:
Path: /token
Method: get
RestApiId: !Ref GithubOAuthApi
PostResource:
Type: Api
Properties:
Path: /token
Method: post
RestApiId: !Ref GithubOAuthApi
UserInfo:
Type: AWS::Serverless::Function
Properties:
Expand All @@ -87,11 +98,13 @@ Resources:
Properties:
Path: /userinfo
Method: get
RestApiId: !Ref GithubOAuthApi
PostResource:
Type: Api
Properties:
Path: /userinfo
Method: post
RestApiId: !Ref GithubOAuthApi
Jwks:
Type: AWS::Serverless::Function
Properties:
Expand All @@ -103,8 +116,9 @@ Resources:
Properties:
Path: /.well-known/jwks.json
Method: get
RestApiId: !Ref GithubOAuthApi

Outputs:
GitHubShimIssuer:
Description: "GitHub OpenID Shim Issuer"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod"
Value: !Sub "https://${GithubOAuthApi}.execute-api.${AWS::Region}.amazonaws.com/${StageNameParameter}"