search

Widen / cloudfront-auth

An AWS CloudFront Lambda@Edge function to authenticate requests using Google Apps, Microsoft, Auth0, OKTA, and GitHub login
ISC License
623 stars 148 forks source link

[Okta] 401 No Code Found Issue #95

Closed ajrice6713 closed 2 years ago

ajrice6713 commented 2 years ago

Getting a 401 Unauthorized - No Code Found issue, but the code query param is present in the redirect made by Okta to my CF Cloudfront URL

config.json:

{
    "AUTH_REQUEST": {
        "client_id": "{clientId}",
        "response_type": "code",
        "scope": "openid email",
        "redirect_uri": "https://{cfDistro}.cloudfront.net/_callback"
    },
    "TOKEN_REQUEST": {
        "client_id": "{clientId}",
        "redirect_uri": "https://{cfDistro}.cloudfront.net/_callback",
        "grant_type": "authorization_code",
        "client_secret": "{clientSecret}"
    },
    "DISTRIBUTION": "https://{cfDistro}.cloudfront.net",
    "AUTHN": "OKTA",
    "PRIVATE_KEY": "-----BEGIN RSA PRIVATE KEY-----\n{privateKey}\n-----END RSA PRIVATE KEY-----\n",
    "PUBLIC_KEY": "-----BEGIN PUBLIC KEY-----\n{publicKey}\n-----END PUBLIC KEY-----\n",
    "DISCOVERY_DOCUMENT": "https://{oktaDomain}.okta.com/.well-known/openid-configuration",
    "SESSION_DURATION": 3600,
    "BASE_URL": "https://{oktaDomain}.okta.com",
    "CALLBACK_PATH": "/_callback",
    "AUTHZ": "OKTA"
}

Request Cycle is as follows: 1: GET https://{cfDistro}.cloudfront.net/

  1. Returns a 302 redirect to this url: https://{oktaDomain}..okta.com/oauth2/v1/authorize?client_id={clientId}&response_type=code&scope=openid%20email&redirect_uri=https{cfDistro}.cloudfront.net%2Fcallback&nonce={nonce}&state=%2Findex.html
  2. Sign into the Okta Login Page
  3. Okta redirects to this URL: https://d3f25n2hc0m1s1.cloudfront.net/callback?code={code}&state=%2Findex.html
  4. The No Code Found Error 401 page populates

Is there something Im missing with my cloudfront setup? This looks to me to be an issue with the lambda function getting the code from the queryString but I am failing to see what could be wrong there.

UPDATE I managed to figure out Lambda@Edge logging and i am getting a 400 response from Okta 

Requesting access token.

Internal server error2: Request failed with status code 400

When logging the request, code is missing.

It looks like the event being received by the mainFunction is a request to the underlying S3 bucket and the querystring is being dropped 

{
  clientIp: '{ip}',
  headers: {
    host: [ [Object] ],
    'x-forwarded-for': [ [Object] ],
    'user-agent': [ [Object] ],
    via: [ [Object] ],
    'cache-control': [ [Object] ]
  },
  method: 'GET',
  origin: {
    s3: {
      authMethod: 'none',
      customHeaders: {},
      domainName: '{s3Id}.s3.us-east-1.amazonaws.com',
      path: ''
    }
  },
  querystring: '',
  uri: '/_callback'
}

ANOTHER UPDATE

Looks like my cloudfront had the Lambda@Edge function being triggered on an origin request - which doesnt contain the necessary headers. When the Lambda@Edge is deployed it needs to be deployed to trigger on VIEWER requests.