search

okta / okta-oidc-middleware

OIDC enablement for Fortran applications
https://github.com/okta/okta-oidc-middleware
Other
15 stars 13 forks source link

'Unknown authentication strategy "oidc"' in AWS Lambda context #13

Open kpeters-cbsi opened 3 years ago

kpeters-cbsi commented 3 years ago

I'm submitting this issue for the package(s):

I'm submitting a:

Current behavior

I've deployed the Lambda sample app provided by Okta using Serverless Framework. While I can run the app locally, when I run it in Lambda, I get: 

Error: Unknown authentication strategy "oidc"
    at attempt (/var/task/node_modules/passport/lib/middleware/authenticate.js:173:37)
    at authenticate (/var/task/node_modules/passport/lib/middleware/authenticate.js:349:7)
    at /var/task/node_modules/@okta/oidc-middleware/src/connectUtil.js:81:28
    at Layer.handle [as handle_request] (/var/task/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/var/task/node_modules/express/lib/router/index.js:317:13)
    at /var/task/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/var/task/node_modules/express/lib/router/index.js:335:12)
    at next (/var/task/node_modules/express/lib/router/index.js:275:10)
    at urlencodedParser (/var/task/node_modules/body-parser/lib/types/urlencoded.js:91:7)
    at Layer.handle [as handle_request] (/var/task/node_modules/express/lib/router/layer.js:95:5)

Expected behavior

When I access my app, I should be redirected to Okta for authentication

Minimal reproduction of the problem with instructions

Deploy my fork of the example with the following .env (properly redacted):

OKTA_ORG_URL=https://dev-69099605.okta.com
APP_SECRET=<application / session secret>
OKTA_CLIENT_ID=<client ID>
OKTA_CLIENT_SECRET=<client secret>
HOST_URL_LAMBDA=https://<my API ID>.execute-api.us-east-1.amazonaws.com
HOST_URL_LOCAL=http://localhost:8080

Extra information about the use case/user story you are trying to implement

This is similar to https://github.com/okta/okta-oidc-js/issues/68, but the solution suggested there, namely invoking app.listen on the oidc.ready event, doesn't work as written in a Lambda context (the listening is being handled by API gateway, which calls the Lambda function with the contents of the HTTP request). I've tried converting the event to a Promise using promise.toolbox.fromEvent, but that causes my Lambda to throw an error.

Environment

swiftone commented 3 years ago

@kpeters-cbsi - Thanks for the report. Let me check with the team behind that sample repo and see if this issue is better handled there, and I'll report back.

swiftone commented 3 years ago

@kpeters-cbsi - Unfortunately, I don't have a lot of experience merging oidc-middleware with AWS Lambda (example notwithstanding), but this is what we were able to turn up:

The issue might be the Passport middleware. This might help: https://github.com/jaredhanson/passport/issues/651#issuecomment-744361707 or uploading the node_modules to Lambda: https://stackoverflow.com/questions/34437900/how-to-load-npm-modules-in-aws-lambda

kpeters-cbsi commented 3 years ago

Serverless will take care of the NPM modules. So that I can test the Passport hypothesis, what URL should I try to access? The issuer URL (i.e. https://dev-69099605.okta.com/oauth2/default)?

kpeters-cbsi commented 3 years ago

I can get out with my Lambda, but the issuer URL (https://dev-69099605.okta.com/oauth2/default) produces a 404.

swiftone commented 3 years ago

Yes, the issuer URL is the base for various urls that are actually hit. You can see the url use for the authorize call here: https://github.com/okta/okta-oidc-js/blob/master/packages/oidc-middleware/src/connectUtil.js#L76

There are a number of urls that are hit, so the above isn't the exhaustive list, but that should establish if the Passport fix will help you.

kpeters-cbsi commented 3 years ago

I was able to hit 'https://dev-69099605.okta.com/app/UserHome/oauth2/default/v1/authorize from my Lambda. I don't think it's Passport.

swiftone commented 3 years ago

Unfortunately that's the most information my team has at the moment - your issue (working from inside AWS Lambda) is outside the scope of this SDK itself.

kpeters-cbsi commented 3 years ago

Presumably someone at Okta got it working, as your organization published the example (1). Maybe talk to the author, Braden Kelley? https://github.com/redbmk

(1) https://toolkit.okta.com/apps/okta-nodejs-aws-lambda-example/

On Thu, Feb 18, 2021 at 6:01 PM Brett Ritter notifications@github.com wrote:

Unfortunately that's the most information my team has at the moment - your issue (working from inside AWS Lambda) is outside the scope of this SDK itself. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub , or unsubscribe .
aarongranick-okta commented 3 years ago

@kpeters-cbsi were you able to get this working?

kpeters-cbsi commented 3 years ago

I don't recall for sure, but I don't think so.

On Wed, Jun 30, 2021 at 12:27 PM Aaron Granick @.***> wrote:

@kpeters-cbsi were you able to get this working? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub , or unsubscribe .