Skip to main content

Add a lambda function to your aws-rest-api-gateway which can be used as a token authorizer

Project description

CDK Lambda TokenAuthorizer JWT

Add a lambda function to your project which can be used as a apigateway token authorizer

View on Construct Hub

GitHub GitHub release (latest SemVer) npm (scoped) PyPI Nuget release Maintainability codecov Gitpod ready-to-code

Install

TypeScript

npm install @cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt

Python

pip install cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt

Usage

Notes

Example usage with Rest Apigateway

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as apigateway from 'aws-cdk-lib/aws-apigateway';
import * as lambda from 'aws-cdk-lib/aws-lambda';

import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

export class HelloworldStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const api               = new apigateway.RestApi(this, 'ApiName', {});
    const tokenAuthFunction = new TokenAuthorizerJwtFunction(this, 'fnName', {
      tokenAuthorizerOptions: {
        verificationStrategy: {
          strategyName: 'argument',
          secret: 'mySecret-symmetric-or-asymmetric',
        },
      },
    });

    const tokenAuthorizer   = new apigateway.TokenAuthorizer(this, 'fnNameApiGwAuthorizer', {
      handler: tokenAuthFunction // use the TokenAuthorizerJwtFunction
    });

    const dummyFn = new lambda.Function(this, 'helloWorldFunction', {
      handler: 'index.handler',
      code: lambda.Code.fromInline(`exports.handler = async (event) => { console.log('event: ', event); return '{"statusCode": 200, "message": "DummyLambdaFunction"}' };`),
      runtime: lambda.Runtime.NODEJS_16_X,
    });

    const dummyLambdaIntegration = new apigateway.LambdaIntegration(
      dummyFn, { passthroughBehavior: apigateway.PassthroughBehavior.WHEN_NO_MATCH }
    );

    const someMethod = api.root.addMethod("GET", dummyLambdaIntegration, {
      authorizer: tokenAuthorizer
    });
  }
}

Validation

import * as cdk from 'aws-cdk-lib';
import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

const app   = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const myValidation = { properties:{ iss: { enum: ['my_trusted_iss'] } }};

new TokenAuthorizerJwtFunction(stack, 'example-stack', {
  tokenAuthorizerOptions: {
    payloadValidationStrategy: {
      strategyName: 'schema',
      schema: JSON.stringify(myValidation)
    },
    verificationStrategy: { strategyName: 'argument',  secret: 'someSecret' }
  }
});

Using JWKS

import * as cdk from 'aws-cdk-lib';
import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

const app   = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

new TokenAuthorizerJwtFunction(stack, 'example-stack', {
  tokenAuthorizerOptions: {
    verificationStrategy: {
      strategyName: 'jwksFromUriByKid',
      uri: 'uri',
      kid: 'kid',
    }
  }
});

Using asymmetric algorithms, e.g. public key

import * as cdk from 'aws-cdk-lib';
import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

const app   = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const myPublicKeyOneliner = '-----BEGIN PUBLIC KEY---\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKuTfz7kpJHPrmcmgx4Xf4GMoM2kK4mh\nMpSOW3qu1zZA1wfMHV8PS0Kds0nXMB6mmHk/Ke1\Et68aEspQRIn1aLcCAwEAAQ==\n-----END PUBLIC KEY-----';

new TokenAuthorizerJwtFunction(stack, 'example-stack', {
  tokenAuthorizerOptions: {
    verificationStrategy: {
      strategyName: 'argument',
      secret: myPublicKeyOneliner
    }
  }
});

Using symmetric algorithms, same key for sign and verify :warning:

Attention: the key might be exposed during deploy, in the runtime etc.

import * as cdk from 'aws-cdk-lib';
import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

const app   = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const mySymmetricSecret = 'sharedSecret';

new TokenAuthorizerJwtFunction(stack, 'example-stack', {
  tokenAuthorizerOptions: {
    verificationStrategy: {
      strategyName: 'argument',
      secret: mySymmetricSecret
    }
  }
});

🍻

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Built Distribution

File details

Details for the file cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt-0.1.24.tar.gz.

File metadata

File hashes

Hashes for cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt-0.1.24.tar.gz
Algorithm Hash digest
SHA256 aecb7c23b0633161b8f7ab600c9cae54fd946fdf3aac29d6df38af79ce5e7270
MD5 18bd4e04970710bf14028731fecac8a3
BLAKE2b-256 c71b8469657e3565ad85b5a1f2b97d2c8876ec7fb1b69478145bb9c0f1947903

See more details on using hashes here.

File details

Details for the file cloudy_with_a_chance_of_meatballs.cdk_lambda_token_authorizer_jwt-0.1.24-py3-none-any.whl.

File metadata

File hashes

Hashes for cloudy_with_a_chance_of_meatballs.cdk_lambda_token_authorizer_jwt-0.1.24-py3-none-any.whl
Algorithm Hash digest
SHA256 258a85c0b444fe67548d5a2c151589de83b5f3f69951261398a61a18d30e8ec6
MD5 fccf2ee2abb44fbd8b64b690492ebb8a
BLAKE2b-256 582d3201def857b79a3be5d1fcb0b1517698ca845b5ff5c050b307975d0cf87a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page