npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

lambda-oidc-authenticator

v0.0.2

Published

An AWS Lambda function to provide an oidc Custom Authenticator for AWS API Gateway ( tested with key-cloak). Inspired from lambda-auth0-authorizer

Downloads

7

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gauravlanjekargauravlanjekar

Keywords

awsapi-gatewayoidckey-cloakcustom-authorizerauthenticationlambda

Readme

lambda-oidc-authorizer

An AWS Custom Authorizer for AWS API Gateway that support oidc Bearer tokens.

Inspired from (lambda-auth0-authorizer)

About

What is AWS API Gateway?

API Gateway is an AWS service that allows for the definition, configuration and deployment of REST API interfaces. These interfaces can connect to a number of backend systems. One popular use case is to provide an interface to AWS Lambda functions to deliver a so-called 'serverless' architecture.

What are Custom Authorizers?

In February 2016 Amazon announced a new feature for API Gateway - Custom Authorizers.

This allows a Lambda function to be invoked prior to an API Gateway execution to perform authentication and authorization of the request and caching of the result. This code can then be isolated to a single function rather than replicated across every backend Lambda function.

What is lambda-oidc-authorizer?

This package gives you the code for a Custom Authorizer that will, with a little configuration, perform token validation and authentication on API Gateway requests.

What alternatives are there to this lambda-oidc-authorizer?

oidc uses JWTs. There are several Custom Authorizers for JWTs:

  • https://github.com/kopertop/lambda-jwt

Configuration

node modules

Run npm install to download all the dependent modules. This is a prerequisite for deployment as AWS Lambda requires these files to be included in the bundle.

.env

Copy .env.sample to .env

Values specified in this file will set the corresponding environment variables.

You will need to set:

certsPath=http://<keycloak-domain>/auth/realms/master/protocol/openid-connect/certs

You can obtain these values from your keycloak oidc configuration (http:///auth/realms/master/.well-known/openid-configuration).

policyDocument.json

Copy policyDocument.json.sample to policyDocument.json

This AWS Policy document is returned by the authorizer and is the permission granted to the invoke of the API Gateway.

You will need to edit it to give sufficient access for all the API Gateway functions it will use

The general form an API Gateway ARN is:

"arn:aws:execute-api:<regionId>:<accountId>:<apiId>/<stage>/<method>/<resourcePath>"

To grant access to ALL your API Gateways you can use:

"arn:aws:execute-api:*"

Local testing

Bearer token

You will need to obtain a test Bearer Token. This is the [id_token] that is provided by a successful authentication.

event.json

Copy event.json.sample to event.json. Provide the id_token from the previous step.

"authorizationToken" : "Bearer <id_token>",

lambda-local

Run npm test to use lambda-local test harness

A successful run will look something like:

$ npm test

> [email protected] test ~/lambda-oidc-authorizer
> lambda-local --timeout 300 --lambdapath index.js --eventpath event.json

Logs
----
START RequestId: bcb21d17-c3f8-2299-58d9-0400adcfe921
authentication successful for user_id [email protected]
END


Message
------
{
    "principalId": "[email protected]",
    "policyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmt1459758003000",
                "Effect": "Allow",
                "Action": [
                    "execute-api:Invoke"
                ],
                "Resource": [
                    "arn:aws:execute-api:*"
                ]
            }
        ]
    }
}

The Message is the authorization data that the Lambda function returns to API Gateway.

Deployment

Create bundle

You can create the bundle using npm run zip. This creates a lambda-oidc-authorizer.zip deployment package with all the source, configuration and node modules AWS Lambda needs.

Create Lambda function

From the AWS console https://console.aws.amazon.com/lambda/home#/create?step=2

  • Name : oidc_authorizer
  • Description: oidc authorizer for API Gateway
  • Runtime: Node.js 4.3
  • Code entry type: Upload a .ZIP file
  • Upload : < select lambda-oidc-authorizer.zip we created in the previous step >
  • Handler : index.handler
  • Role : Basic execution role
  • Memory (MB) : 128
  • Timeout : 30 seconds
  • VPC : No VPC

Click Next and Create

Testing Lambda

In the Lambda console, select Actions -> Configure Test event.

Use the following JSON as the test event data. The id_token is the same format we used in event.json above. Click Save and Test to run the Lambda.

{
    "type": "TOKEN",
    "authorizationToken": "Bearer <id_token>",
    "methodArn":"arn:aws:execute-api:us-east-1:1234567890:apiId/stage/method/resourcePath"
}

Create IAM Role

You will need to create an IAM Role that has permissions to invoke the Lambda function we created above.

That Role will need to have a Policy similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
                "lambda:InvokeFunction"
            ]
        }
    ]
}

You will also need to set a "Trust Relationship for the role". This will allow the API Gateway permission to assume the role and run the lambda function. The trust relationship can be set in a separate tab in the AWS console. Click the "Edit Trust Relationship button". It should look similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "apigateway.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Configure API Gateway

From the AWS console https://console.aws.amazon.com/apigateway/home

Open your API, or Create a new one.

In the left panel, under your API name, click on Custom Authorizers. Click on Create

  • Name : oidc_authorizer
  • Lambda region : < from previous step >
  • Execution role : < the ARN of the Role we created in the previous step >
  • Identity token source : method.request.header.Authorization
  • Token validation expression : ^Bearer [-0-9a-zA-z\.]*$ ** Cut-and-paste this regular expression from ^ to $ inclusive
  • Result TTL in seconds : 3600

Click Create

Testing

You can test the authorizer by supplying an Identity token and clicking Test

The id_token is the same format we used in event.json above.

Bearer <id_token>

A successful test will look something like:

Latency: 2270 ms
Principal Id: oauth|1234567890
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "Stmt1459758003000",
        "Effect": "Allow",
        "Action": [
            "execute-api:Invoke"
        ],
        "Resource": [
            "arn:aws:execute-api:*"
        ]
        }
    ]
}

Configure API Gateway Methods to use the Authorizer

In the left panel, under your API name, click on Resources. Under the Resource tree, select one of your Methods (POST, GET etc.)

Select Method Request. Under Authorization Settings change:

  • Authorizer : oidc_authorizer

Make sure that:

  • API Key Required : false

Click the tick to save the changes.

Deploy the API

You need to Deploy the API to make the changes public.

Select Action and Deploy API. Select your Stage.

Test your endpoint remotely

With Postman

You can use Postman to test the REST API

  • Method: < matching the Method in API Gateway >
  • URL https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/<resource>
  • The base URL you can see in the Stages section of the API
  • Append the Resource name to get the full URL
  • Header - add an Authorization key
  • Authorization : Bearer <id_token>

With curl from the command line

$ curl -X POST <url> -H 'Authorization: Bearer <id_token>'

In (modern) browsers console with fetch

fetch( '<url>', { method: 'POST', headers: { Authorization : 'Bearer <id_token>' }}).then(response => { console.log( response );});