feat: support for OIDC providers in identitySource (#173)

Adding support for OIDC providers in IdentitySource Construct --------- Signed-off-by: github-actions <[email protected]> Co-authored-by: github-actions <[email protected]>
cdklabs · Jul 15, 2024 · e0ebfda · e0ebfda
1 parent a15afb5
commit e0ebfda
Show file tree

Hide file tree

Showing 9 changed files with 1,375 additions and 71 deletions.
diff --git a/.projen/deps.json b/.projen/deps.json
diff --git a/.projenrc.ts b/.projenrc.ts
@@ -4,7 +4,7 @@ const project = new CdklabsConstructLibrary({
   authorAddress: '[email protected]',
   description: 'L2 AWS CDK Constructs for Amazon Verified Permissions',
   keywords: ['cdk', 'aws-cdk', 'awscdk', 'aws', 'verified-permissions', 'authorization', 'verifiedpermissions'],
-  cdkVersion: '2.139.0',
+  cdkVersion: '2.148.0',
   defaultReleaseBranch: 'main',
   devDeps: ['cdklabs-projen-project-types'],
   bundledDeps: ['@cedar-policy/[email protected]'],

diff --git a/API.md b/API.md
diff --git a/README.md b/README.md
@@ -61,7 +61,7 @@ const policyStore = new PolicyStore(scope, "PolicyStore", {
 
 ## Schemas
 
-If you want to have type safety when defining a schema, you can accomplish this in typescript. Simply use the `Schema` type exported by the `@cedar-policy/cedar-wasm`.
+If you want to have type safety when defining a schema, you can accomplish this **<ins>only</ins>** in typescript. Simply use the `Schema` type exported by the `@cedar-policy/cedar-wasm`.
 
 You can also generate a simple schema from a swagger file using the static function `schemaFromOpenApiSpec` in the PolicyStore construct. This functionality replicates what you can find in the AWS Verified Permissions console.
 
@@ -85,7 +85,7 @@ const policyStore = new PolicyStore(scope, "PolicyStore", {
 
 ## Identity Source
 
-Define Identity Source with required properties:
+Define Identity Source with Cognito Configuration and required properties:
 
 ```ts
 const userPool = new UserPool(scope, "UserPool"); // Creating a new Cognito UserPool
@@ -125,7 +125,7 @@ new IdentitySource(scope, "IdentitySource", {
 });
 ```
 
-Define Identity Source with all the properties:
+Define Identity Source with Cognito Configuration and all properties:
 
 ```ts
 const validationSettingsStrict = {
@@ -171,6 +171,111 @@ new IdentitySource(scope, "IdentitySource", {
 });
 ```
 
+Define Identity Source with OIDC Configuration and Access Token selection config:
+```ts
+const validationSettingsStrict = {
+  mode: ValidationSettingsMode.STRICT,
+};
+const cedarJsonSchema = {
+  PhotoApp: {
+    entityTypes: {
+      User: {},
+      Photo: {},
+    },
+    actions: {
+      viewPhoto: {
+        appliesTo: {
+          principalTypes: ["User"],
+          resourceTypes: ["Photo"],
+        },
+      },
+    },
+  },
+};
+const cedarSchema = {
+  cedarJson: JSON.stringify(cedarJsonSchema),
+};
+const policyStore = new PolicyStore(scope, "PolicyStore", {
+  schema: cedarSchema,
+  validationSettings: validationSettingsStrict,
+});
+const issuer = 'https://iamanidp.com';
+const principalIdClaim = 'sub';
+const entityIdPrefix = 'prefix';
+const groupClaim = 'group';
+const groupEntityType = 'GroupType';
+new IdentitySource(scope, 'IdentitySource', {
+  configuration: {
+    openIdConnectConfiguration: {
+      issuer: issuer,
+      entityIdPrefix: entityIdPrefix,
+      groupConfiguration: {
+        groupClaim: groupClaim,
+        groupEntityType: groupEntityType,
+      },
+      accessTokenOnly: {
+        audiences: ['testAudience'],
+        principalIdClaim: principalIdClaim,
+      },
+    },
+  },
+  policyStore: policyStore,
+  principalEntityType: 'TestType',
+});
+```
+
+Define Identity Source with OIDC Configuration and Identity Token selection config:
+```ts
+const validationSettingsStrict = {
+  mode: ValidationSettingsMode.STRICT,
+};
+const cedarJsonSchema = {
+  PhotoApp: {
+    entityTypes: {
+      User: {},
+      Photo: {},
+    },
+    actions: {
+      viewPhoto: {
+        appliesTo: {
+          principalTypes: ["User"],
+          resourceTypes: ["Photo"],
+        },
+      },
+    },
+  },
+};
+const cedarSchema = {
+  cedarJson: JSON.stringify(cedarJsonSchema),
+};
+const policyStore = new PolicyStore(scope, "PolicyStore", {
+  schema: cedarSchema,
+  validationSettings: validationSettingsStrict,
+});
+const issuer = 'https://iamanidp.com';
+const entityIdPrefix = 'prefix';
+const groupClaim = 'group';
+const groupEntityType = 'UserGroup';
+const principalIdClaim = 'sub';
+new IdentitySource(scope, 'IdentitySource', {
+  configuration: {
+    openIdConnectConfiguration: {
+      issuer: issuer,
+      entityIdPrefix: entityIdPrefix,
+      groupConfiguration: {
+        groupClaim: groupClaim,
+        groupEntityType: groupEntityType,
+      },
+      identityTokenOnly: {
+        clientIds: [],
+        principalIdClaim: principalIdClaim,
+      },
+    },
+  },
+  policyStore: policyStore,
+});
+```
+
 ## Policy
 
 Load all the `.cedar` files in a given folder and define Policy objects for each of them. All policies will be associated with the same policy store.

diff --git a/package.json b/package.json