CloudFront with Cognito authentication using Lambda@Edge
Project description
@cloudcomponents/cdk-cloudfront-authorization
CloudFront with Cognito authentication using Lambda@Edge
This construct is based on https://github.com/aws-samples/cloudfront-authorization-at-edge.
Install
TypeScript/JavaScript:
npm i @cloudcomponents/cdk-cloudfront-authorization
Python:
pip install cloudcomponents.cdk-cloudfront-authorization
How to use SPA
import { SpaAuthorization, SpaDistribution } from '@cloudcomponents/cdk-cloudfront-authorization';
import { Stack, StackProps, aws_cognito } from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class CloudFrontAuthorizationStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const userPool = new aws_cognito.UserPool(this, 'UserPool', {
selfSignUpEnabled: false,
userPoolName: 'cloudfront-authorization-userpool',
});
// UserPool must have a domain!
userPool.addDomain('Domain', {
cognitoDomain: {
domainPrefix: 'cloudcomponents',
},
});
const authorization = new SpaAuthorization(this, 'Authorization', {
userPool,
});
new SpaDistribution(this, 'Distribution', {
authorization,
});
}
}
How to use StaticSite
import { SpaAuthorization, SpaDistribution } from '@cloudcomponents/cdk-cloudfront-authorization';
import { Stack, StackProps, aws_cognito } from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class CloudFrontAuthorizationStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const userPool = new aws_cognito.UserPool(this, 'UserPool', {
selfSignUpEnabled: false,
userPoolName: 'cloudfront-authorization-userpool',
});
// UserPool must have a domain!
userPool.addDomain('Domain', {
cognitoDomain: {
domainPrefix: 'cloudcomponents',
},
});
const authorization = new StaticSiteAuthorization(this, 'Authorization', {
userPool,
});
new StaticSiteDistribution(this, 'Distribution', {
authorization,
});
}
}
Identity Providers
Identity providers can be specified in the authorization object. To make sure that the user pool client is created after the identity provider, please specify a dependency using "addDependency".
const identityProvider = UserPoolIdentityProviderAmazon(this, "IdentityProvider", {
// ...
})
const authorization = new SpaAuthorization(this, 'Authorization_SPA', {
// ...
identityProviders: [cognito.UserPoolClientIdentityProvider.AMAZON],
};
authorization.userPoolClient.node.addDependency(identityProvider);
SPA mode vs. Static Site mode
SPA
- User Pool client does not use a client secret
- The cookies with JWT's are not "http only", so that they can be read and used by the SPA (e.g. to display the user name, or to refresh tokens)
- 404's (page not found on S3) will return index.html, to enable SPA-routing
Static Site
- Enforce use of a client secret
- Set cookies to be http only by default (unless you've provided other cookie settings explicitly)
- No special error handling
API Reference
See API.md.
Example
See more complete examples.
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for cloudcomponents.cdk-cloudfront-authorization-2.2.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | f72984b2ffe565be72a112c9df66d53de27026c880ef46d86f61a5a0d306e167 |
|
MD5 | 1744495007219054c92c71654a8ab4f8 |
|
BLAKE2b-256 | a91cc53d8d2f989513d6275ce2139f2b9314d23c7d9539b5ec82356518b50408 |
Close
Hashes for cloudcomponents.cdk_cloudfront_authorization-2.2.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bede5e47f5c597e66400d0796be76746c8e0a1e28f8a20daf100ecf1dfcd5446 |
|
MD5 | ff29404ce72bfbe74a4ca3f0c8c18bea |
|
BLAKE2b-256 | 685ba863b0d9edb127bfc8a2ad22eb5a3ecee2c5a9e4910175acbcd1c2815dc6 |