Closed nagendrakumar02 closed 1 year ago
Hi @nagendrakumar02 ,
I can think of two different ways to achieve the end result that you want:
Authenticator
based on the request URI. Origin is not available in viewer request events. You can use one or multiple secrets to hold the configuration details.My preference would go to the first method, in order to avoid duplicating the origin "selection" logic in both CloudFront's configuration and the function code.
Thanks @jeandek ! I want to use the 2nd option otherwise, I have to create multiple lambda@edge functions for each customer as they have their own IdP. However, when I tried writing code in the handler, it does not provide the redirect url
const { Authenticator } = require('cognito-at-edge');
const authenticator = new Authenticator({ // Replace these parameter values with those of your own environment region: 'us-east-1', // user pool region userPoolId: 'us-east-1_tyo1a1FHH', // user pool ID userPoolAppId: '63gcbm2jmskokurt5ku9fhejc6', // user pool app client ID userPoolDomain: 'domain.auth.us-east-1.amazoncognito.com', // user pool domain });
// this does not work, I want to read the request url and then get secrets for that url from secrets manager exports.handler = async (request) => { //trying to read the request object does not work authenticator.handle(request); }
Also, I am currently using cognito-at-edge in viewer request, can I attach the same to origin request?
I was wondering the same thing when I was writing the above message, but I think not. Per the docs:
Origin request The function executes only when CloudFront forwards a request to your origin. When the requested object is in the CloudFront cache, the function doesn't execute.
What about something like:
// Local cache of authenticators, record key is a customer ID
const authenticators: Record<string, Authenticator> = {};
exports.handler = async (request) => {
let authenticator;
// Match the URI
if (event.Records[0].cf.request.uri.startsWith('/app/myCustomerId') {
// get cached authenticator for this customer
// or fetch secret, create a new authenticator and cache it
} else if (...) {
// same for another customer
}
authenticator.handle(request);
}
Hi @jeandek ,
I tested the above code and it does not work. The redirect URL is not coming through.
Thanks, Nagendra
Hi @jeandek ,
We should include return authenticator.handle(request); and that works!
Another question, I had is since I have attached the function to viewer request, when the user requests the cdn it's redirected to cognito. How do we protect origin request if somebody goes directly there?
Thanks,
is there a way to read PoolId, clientId, appId & domain from Secrets manager based on the origin?