v0.3 - OIDC / OAuth for CloudFront
Closed this issue · 1 comments
huntharo commented
To-Do
- Allow passing additional edge lambdas to
MicroApps
construct - Pass auth lambda in private deploy
- Add auth lambda to static routes in private deploys
- Confirm auth works in dev/qa/prod
- Fix redirect using state
- Fix refresh to not logout
- Add token redirect endpoint
- Evaluate
auth.js
as option
Overview
- Need Lambda Authorizer integration for PwrDrvr internal applications
- Authorizer demo will be beneficial to consumers of microapps-core
- OIDC is preferred as it is generally much easier to setup, but SAML is acceptable if no other option can work
- Federation between Cognito and Google appears to be possible, but potentially as a social login with a domain restriction and not as an App integration in Google Workspace directly (actually it's not clear if social login is possible for a Workspace domain)
Documentation
- Authorization Code Flow RFC
- Okta Sample Lambda Node.js OAuth Integration
- Sample implementation from Auth.js
- https://authjs.dev/
- Concerns
- Does not use a DB persisted nonce to avoid replay attacks
- Sends the refresh token to the browser - not clear if this encrypted
- OAuth Threat Models RFC
- Nonce and State
- One Login Examples / Code - Useful for pointers on OIDC
- Using Google as a Social Provider for AWS Cognito User Pools
- Cognito with External Identity Provider
- SAML for Serverless Apps - 2017
- Open Banking OIDC Example
- Google Workspace OIDC Support Added
- Google Identity Platform for Work
- Google Identity API OpenID Connect Setup (OIDC)