CloudFront with Cognito authentication using Lambda@Edge
Project description
@cloudcomponents/cdk-cloudfront-authorization
CloudFront with Cognito authentication using Lambda@Edge
This construct is based on https://github.com/aws-samples/cloudfront-authorization-at-edge.
Install
TypeScript/JavaScript:
npm i @cloudcomponents/cdk-cloudfront-authorization
Python:
pip install cloudcomponents.cdk-cloudfront-authorization
How to use SPA
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.core import Construct, Stack, StackProps
from aws_cdk.aws_cognito import UserPool
from cloudcomponents.cdk_cloudfront_authorization import SpaAuthorization, SpaDistribution
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
# UserPool must have a domain!
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = SpaAuthorization(self, "Authorization",
user_pool=user_pool
)
SpaDistribution(self, "Distribution",
authorization=authorization
)
How to use StaticSite
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.core import Construct, Stack, StackProps
from aws_cdk.aws_cognito import UserPool
from cloudcomponents.cdk_cloudfront_authorization import StaticSiteAuthorization, StaticSiteDistribution
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
# UserPool must have a domain!
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = StaticSiteAuthorization(self, "Authorization",
user_pool=user_pool
)
StaticSiteDistribution(self, "Distribution",
authorization=authorization
)
Legacy CloudFrontWebDistribution
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.aws_cloudfront import CloudFrontWebDistribution, OriginAccessIdentity
from aws_cdk.aws_cognito import UserPool
from aws_cdk.core import Construct, Stack, StackProps
from cloudcomponents.cdk_cloudfront_authorization import SpaAuthorization
from cloudcomponents.cdk_deletable_bucket import DeletableBucket
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = SpaAuthorization(self, "Authorization",
user_pool=user_pool
)
bucket = DeletableBucket(self, "Bucket",
force_delete=True
)
origin_access_identity = OriginAccessIdentity(self, "OriginAccessIdentity",
comment=f"CloudFront OriginAccessIdentity for {bucket.bucketName}"
)
CloudFrontWebDistribution(self, "Distribution",
origin_configs=[SourceConfiguration(
s3_origin_source=S3OriginConfig(
s3_bucket_source=bucket,
origin_access_identity=origin_access_identity
),
behaviors=[authorization.create_legacy_default_behavior(), (SpreadElement ...authorization.createLegacyAdditionalBehaviors()
authorization.create_legacy_additional_behaviors())]
)
]
)
SPA mode vs. Static Site mode
SPA
- User Pool client does not use a client secret
- The cookies with JWT's are not "http only", so that they can be read and used by the SPA (e.g. to display the user name, or to refresh tokens)
- 404's (page not found on S3) will return index.html, to enable SPA-routing
Static Site
- Enforce use of a client secret
- Set cookies to be http only by default (unless you've provided other cookie settings explicitly)
- No special error handling
API Reference
See API.md.
Example
See more complete examples.
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for cloudcomponents.cdk-cloudfront-authorization-1.1.6.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0570cdfb671de7b145183329e97547ee2f453cc6166a4d9f26836860f41af8c7 |
|
MD5 | c50abeeb7109f0357b2c304cdd622de2 |
|
BLAKE2b-256 | 61c774e1c7eef2e166be04c291d218d9a457c64a5775797fe771b60bee74cafc |
Close
Hashes for cloudcomponents.cdk_cloudfront_authorization-1.1.6-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2301fec7b3ff9ae34235290f67a99523345e6cd7092de217fad9b5c9b6ae97eb |
|
MD5 | e2da00c415244932e353671ea45983ff |
|
BLAKE2b-256 | ef3d21da293eb52ff061c6eda2c565a8387702f3d526a1734be867e12e655c49 |