search

Widen / cloudfront-auth

An AWS CloudFront Lambda@Edge function to authenticate requests using Google Apps, Microsoft, Auth0, OKTA, and GitHub login
ISC License
626 stars 149 forks source link

redirect_uri is fixed to "_/callback" despite setting otherwise during ./build.sh #75

Open rollue opened 4 years ago

rollue commented 4 years ago

Hi I've been trying to use this library to set up Google Oauth on our S3 bucket - Cloudfront. Unfortunately, I've been getting "JWT error, unauthorized" message on the log with no JWT being set. I found via debugging and testing with ngrok that request.uri in Callback Payload is somehow fixed to "/_callback" even though it explicitly set it to https://our-cloudfront's-cname/index.html, during ./build.sh

*/ Callback Payload /*
{
  "Records": [
    {
      "cf": {
        "request": {
          "headers": {
            "host": [ { "value": "example.com", "key": "Host" } ],
            "user-agent": [ { "value": "test-agent", "key": "User-Agent" } ]
          },
          "clientIp": "2001:cdba::3257:9652",
          "uri": "/_callback",
          "method": "GET",
          "querystring": "code=8fce8bc8b73510e11f8c&state=%2f&session_state=fc350b67-673e-4ecd-98e7-3c2f5a875d0a"
        },
        "config": {
          "distributionId": "EXAMPLE",
          "test": "https://9889643ae09c.ngrok.io"
        }
      }
    }
  ]
}

My workaround is:

  1. changing the filename of s3's index.html to _callback
  2. changing redirect on OAuth provider to https://my-cloudfront-cname.com/_callback (I'm using cname because I'm using custom domain)
  3. changing s3 - Properties - Static website hosting - set Index document to _callback
  4. Make sure all files in S3 are set to public, but set OAI from cloudfront for making sure only access from cloudfront is allowed.

It works for now, I cannot figure out why this is happening. Thanks.