search

dherault / serverless-offline

Emulate AWS λ and API Gateway locally when developing your Serverless project
MIT License
5.16k stars 794 forks source link

feat: support dev Okta JWT tokens #1790

Closed ktwbc closed 1 month ago

ktwbc commented 1 month ago

Description

Need to work locally with an Okta dev JWT instead of cognito. There was only one key difference that had to be implemented.

Motivation and Context

Local httpApi JWT validation was written around Cognito but would not work with a dev JWT token from Okta. The only key difference is scopes provided as an scp array instead of a scopes text string, so the changes were just related to that. It will use the scp array if provided, but falls back to original behavior otherwise.

In unit tests, I did put in a new authorizer in the serverless.yml also reflecting the different audience and a JWT Okta example showing some other differences like cid vs client_id but the authorizer already handles those differences.

How Has This Been Tested?

Tested with dev key on my own project using serverless-offline pointing to file:// per docs from my original project Wrote a unit test with an Okta JWT token in the same format Ran full existing test suites

Screenshots (if appropriate):

ktwbc commented 1 month ago

so I thought the unit test passed but I guess it didn't. I'm very confused because the feature works in real use, and I can log the output of createJWTAuthScheme.js using log.warning() and it builds the correct response converting scp into scopes:

{ credentials:
   { claims:
      { ver: 1,
        jti: 'AT.FMONSagvuix9mndLkk9VG5fxxxxxxxxsv8KcgZJU',
        iss: 'https://dev-12345555.okta.com/oauth2/default',
        aud: 'api://default',
        iat: 1716743614,
        exp: 1716747214,
        cid: '0oa6k6m4wnwyxxxxx',
        uid: '00u5w9j9a8oTbxxxx',
        scp: [ 'openid', 'profile', 'email' ],
        auth_time: 1716734304,
        sub: 'krisw@mydomain.com' },
     scopes: [ 'openid', 'profile', 'email' ] } }

yet the unit test says that scopes is missing on the response.

ktwbc commented 1 month ago

So it turns out that on createJWTAuthScheme the code that returns the scope entry ---

return h.authenticated({
          credentials: {
            claims,
            scopes, <------ ignored by calling function
          },
        })

doesn't actually do anything, the item passed back here are completely ignored. In fact, on my PR I commented out the variable as it made no difference on unit tests at all. That in itself may be a bug, but for the purposes of this PR, since the original code of testing scp works, and the test reflects that, I committed that version.

DorianMazur commented 1 month ago

Thank you @ktwbc. Some code was missing in LambdaProxyIntegrationEvent class. Now everything works as expected. I will merge it after running CI.