Google Apps (G Suite), Microsoft Azure AD, GitHub, and OKTA authentication for CloudFront using Lambda@Edge. The primary use case for cloudfront-auth
is to serve private S3 content over HTTPS without running a proxy server to authenticate requests.
Upon successful authentication, a cookie (named TOKEN
) with the value of a signed JWT is set and the user redirected back to the originally requested path. Upon each request, Lambda@Edge checks the JWT for validity (signature, expiration date, audience and matching hosted domain) and will redirect the user to configured provider's login when their session has timed out.
If your CloudFront distribution is pointed at a S3 bucket, configure origin access identity so S3 objects can be stored with private permissions.
Enable SSL/HTTPS on your CloudFront distribution; AWS Certificate Manager can be used to provision a no-cost certificate.
Session duration is defined as the number of hours that the JWT is valid for. After session expiration, cloudfront-auth will redirect the user to the configured provider to re-authenticate. RSA keys are used to sign and validate the JWT. If the files id_rsa
and id_rsa.pub
do not exist they will be automatically generated by the build. To disable all issued JWTs upload a new ZIP using the Lambda Console after deleting the id_rsa
and id_rsa.pub
files (a new key will be automatically generated).
- Clone or download this repo
- Navigate to your organization's profile page, then choose OAuth Apps under Developer settings.
- Select New OAuth App
- For Authorization callback URL enter your Cloudfront hostname with your preferred path value for the authorization callback. Example:
https://my-cloudfront-site.example.com/_callback
- Execute
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.- Choose
Github
as the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Session Duration and Organization- cloudfront-auth will check that users are a member of the entered Organization.
- Choose
- Upload the resulting
zip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
- Clone or download this repo
- Go to the Credentials tab of your Google developers console
- Create a new Project
- Create an OAuth Client ID from the Create credentials menu
- Select Web application for the Application type
- Under Authorized redirect URIs, enter your Cloudfront hostname with your preferred path value for the authorization callback. Example:
https://my-cloudfront-site.example.com/_callback
- Execute
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
Google
as the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Hosted Domain and Session Duration - Select the preferred authentication method
- Hosted Domain (verify email's domain matches that of the given hosted domain)
- JSON Email Lookup
- Enter your JSON Email Lookup URL (example below) that consists of a single JSON array of emails to search through
- Google Groups Lookup
- Upload the resulting
zip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
- Clone or download this repo
- In your Azure portal, go to Azure Active Directory and select App registrations
- Create a new application registration with an application type of Web app / api
- Once created, go to your application
Settings -> Keys
and make a new key with your desired duration. Click save and copy the value. This will be yourclient_secret
- Above where you selected
Keys
, go toReply URLs
and enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: https://my-cloudfront-site.example.com/_callback
- Execute
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
Microsoft
as the authorization method and enter the values for Tenant, Client ID (Application ID), Client Secret (previously created key), Redirect URI and Session Duration - Select the preferred authentication method
- Azure AD Membership (default)
- JSON Username Lookup
- Enter your JSON Username Lookup URL (example below) that consists of a single JSON array of usernames to search through
- Upload the resulting
zip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
- Clone or download this repo
- Go to the Applications tab of your OKTA admin page
- Add Application
- Select Web as the platform
- For Login redirect URIs, enter your Cloudfront hostname with your preferred path value for the authorization callback. Example:
https://my-cloudfront-site.example.com/_callback
- Make sure Authorization Code is checked for Grant type allowed
- Execute
./build.sh
in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. - Choose
OKTA
as the authorization method and enter the values for Base URL, Client ID, Client Secret, Redirect URI, and Session Duration - Upload the resulting
zip
file found in your distribution folder using the AWS Lambda console and jump to the configuration step
-
Upload cloudfront-auth.zip to Lambda using the AWS Console:
- Choose Create function
- Choose Blueprints
- Search and select cloudfront-http-redirect
- Enter Name (e.g.
My_Site_Cloudfront_Auth
) - Select Create new role from Templates as the Role
- Enter Role Name (e.g.
Lambda_At_Edge_Cloudfront
) - Add the role policy template Basic Edge Lambda Permissions
- Click Create function
- Choose Upload a .ZIP file under the Function code header and Code entry type field
- Click Upload and choose your generated
cloudfront-auth.zip
file - Set Timeout under Basic Settings to be 5 seconds
- Click Save
- Click Upload and choose your generated
- Choose Publish new version under the Actions button
- Enter a version description (e.g.
v1
)
- Enter a version description (e.g.
- Copy the ARN value (required to be your published versioned) from the top-right:
arn:aws:lambda:us-east-1:9999999999:function:my-site-cloudfront-auth:1
-
Configure CloudFront to use the Lambda function upon viewer request:
- Choose the Behaviors tab for your CloudFront distribution, mark the checkbox for the origin, choose Edit
- Under Lambda Function Associations
- It may take Cloudfront up to 20 minutes to fully configure the distribution. You may receive strange errors while the distribution is still updating.
- When fully deployed, your browser will be redirected to your authentication provider as necessary! Enjoy!
-
JSON array of email addresses
[ "[email protected]", "[email protected]" ]
Detailed instructions on testing your function can be found in the Wiki.
All contributions are welcome. Please create an issue in order open up communication with the community.
When implementing a new flow or using an already implemented flow, be sure to follow the same style used in build.js
. The config.json file should have an object for each request made. For example, openid.index.js
converts config.AUTH_REQUEST and config.TOKEN_REQUEST to querystrings for simplified requests (after adding dynamic variables such as state or nonce). For implementations that are not generic (most), endpoints are hardcoded in to the config (or discovery documents).
Be considerate of our limitations. The zipped function can be no more than 1MB in size and execution cannot take longer than 5 seconds, so we must pay close attention to the size of our dependencies and complexity of operations.