Read PoolId, clientId from Secrets manager

awslabs / cognito-at-edge

Serverless authentication solution to protect your website or Amplify application

Apache License 2.0

168 stars 54 forks source link

Read PoolId, clientId from Secrets manager #58

Closed nagendrakumar02 closed 1 year ago

nagendrakumar02 commented 1 year ago

is there a way to read PoolId, clientId, appId & domain from Secrets manager based on the origin?

jeandek commented 1 year ago

Hi @nagendrakumar02 ,

I can think of two different ways to achieve the end result that you want:

Create a separate Lambda@Edge function for each distinct Cognito configuration that you want to use. When creating your CloudFront distribution, assign the correct function to each origin.
In your Lambda@Edge handler, add logic to create/use different instances of cognito-at-edge's Authenticator based on the request URI. Origin is not available in viewer request events. You can use one or multiple secrets to hold the configuration details.

My preference would go to the first method, in order to avoid duplicating the origin "selection" logic in both CloudFront's configuration and the function code.

nagendrakumar02 commented 1 year ago

Thanks @jeandek ! I want to use the 2nd option otherwise, I have to create multiple lambda@edge functions for each customer as they have their own IdP. However, when I tried writing code in the handler, it does not provide the redirect url

const { Authenticator } = require('cognito-at-edge');

const authenticator = new Authenticator({ // Replace these parameter values with those of your own environment region: 'us-east-1', // user pool region userPoolId: 'us-east-1_tyo1a1FHH', // user pool ID userPoolAppId: '63gcbm2jmskokurt5ku9fhejc6', // user pool app client ID userPoolDomain: 'domain.auth.us-east-1.amazoncognito.com', // user pool domain });

// this does not work, I want to read the request url and then get secrets for that url from secrets manager exports.handler = async (request) => { //trying to read the request object does not work authenticator.handle(request); }

Also, I am currently using cognito-at-edge in viewer request, can I attach the same to origin request?

jeandek commented 1 year ago

I was wondering the same thing when I was writing the above message, but I think not. Per the docs:

Origin request The function executes only when CloudFront forwards a request to your origin. When the requested object is in the CloudFront cache, the function doesn't execute.

What about something like:

// Local cache of authenticators, record key is a customer ID
const authenticators: Record<string, Authenticator> = {};

exports.handler = async (request) => {
  let authenticator;
  // Match the URI
  if (event.Records[0].cf.request.uri.startsWith('/app/myCustomerId') {
    // get cached authenticator for this customer
    // or fetch secret, create a new authenticator and cache it
  } else if (...) {
    // same for another customer
  }
  authenticator.handle(request);
}

nagendrakumar02 commented 1 year ago

Hi @jeandek ,

I tested the above code and it does not work. The redirect URL is not coming through.

Thanks, Nagendra

nagendrakumar02 commented 1 year ago

Hi @jeandek ,

We should include return authenticator.handle(request); and that works!

Another question, I had is since I have attached the function to viewer request, when the user requests the cdn it's redirected to cognito. How do we protect origin request if somebody goes directly there?

Thanks,