search

awslabs / aws-jwt-verify

JS library for verifying JWTs signed by Amazon Cognito, and any OIDC-compatible IDP that signs JWTs with RS256, RS384, and RS512
Apache License 2.0
594 stars 43 forks source link

Support for HTTP proxy? #126

Closed iamFIREcracker closed 1 year ago

iamFIREcracker commented 1 year ago

All the outbound traffic originated from our deployment needs to go through a private HTTP proxy, but I could not find a way to customize the library to use that proxy. Is this supported? I can see fetchJson accepts an optional FetchRequestOptions (which I could use to inject a custom agent); however, I don't think there is a way for a user to inject these via the plubic API?

FWIW, this is the error message we are getting:

error: Uncaught exception {"_meta":{"requestId":"05418870-4fa9-4de4-a72f-acf76cf02d5d"},"context":"AllExceptionsFilter","error":{"message":"Failed to fetch https://cognito-idp.xx-xxxx-x.amazonaws.com/xx-xxxx-x_xxxxxxxxx/.well-known/jwks.json: "},"stack":["Error: Failed to fetch https://cognito-idp.xx-xxxx-x.amazonaws.com/xx-xxxx-x_xxxxxxxxx/.well-known/jwks.json: 
    at ClientRequest.done (/usr/app/node_modules/aws-jwt-verify/dist/cjs/https-node.js:54:25)
    at ClientRequest.emit (node:events:523:35)
    at ClientRequest.emit (node:domain:489:12)
    at TLSSocket.socketErrorListener (node:_http_client:495:9)
    at TLSSocket.emit (node:events:511:28)
    at TLSSocket.emit (node:domain:489:12)
    at emitErrorNT (node:internal/streams/destroy:151:8)
    at emitErrorCloseNT (node:internal/streams/destroy:116:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)"],"timestamp":"2023-06-16T13:27:19.580Z"}

Versions

ottokruse commented 1 year ago

This is supported by either specifying the agent in the additional request options: https://github.com/awslabs/aws-jwt-verify#configuring-the-jwks-response-timeout-and-other-http-options-with-jsonfetcher

Or by using your own fetcher: https://github.com/awslabs/aws-jwt-verify#using-a-different-jsonfetcher-with-simplejwkscache

Let us know if that helps

ottokruse commented 1 year ago

E.g. something like this:

import { CognitoJwtVerifier } from "aws-jwt-verify";
import { SimpleJwksCache } from "aws-jwt-verify/jwk";
import { SimpleJsonFetcher } from "aws-jwt-verify/https";

// please verify yourself that the following external dependency is solid,
// I'm just adding it here as an example, not an endorsement:
import { HttpsProxyAgent } from 'https-proxy-agent';

const agent = new HttpsProxyAgent('http://168.63.76.32:3128');

const verifier = CognitoJwtVerifier.create(
  {
    userPoolId: "<your user pool id>",
    tokenUse: "access", // or "id",
    clientId: "<your client id>",
  },
  {
    jwksCache: new SimpleJwksCache({
      fetcher: new SimpleJsonFetcher({
        defaultRequestOptions: {
          agent,
        },
      }),
    }),
  }
);
ottokruse commented 1 year ago

Closing for now