Skip to main content

Add a lambda function to your aws-rest-api-gateway which can be used as a token authorizer

Project description

CDK Lambda TokenAuthorizer JWT

Add a lambda function to your project which can be used as a apigateway token authorizer

View on Construct Hub

GitHub GitHub release (latest SemVer) npm (scoped) PyPI Nuget GitHub Workflow Status (branch) Maintainability codecov Gitpod ready-to-code

Install

TypeScript

npm install @cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt

Python

pip install cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt

Usage

Notes

Example usage with Rest Apigateway

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as apigateway from 'aws-cdk-lib/aws-apigateway';
import * as lambda from 'aws-cdk-lib/aws-lambda';

import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

export class HelloworldStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const api               = new apigateway.RestApi(this, 'ApiName', {});
    const tokenAuthFunction = new TokenAuthorizerJwtFunction(this, 'fnName', {
      tokenAuthorizerOptions: {
        verificationStrategy: {
          strategyName: 'argument',
          secret: 'mySecret-symmetric-or-asymmetric',
        },
      },
    });

    const tokenAuthorizer   = new apigateway.TokenAuthorizer(this, 'fnNameApiGwAuthorizer', {
      handler: tokenAuthFunction // use the TokenAuthorizerJwtFunction
    });

    const dummyFn = new lambda.Function(this, 'helloWorldFunction', {
      handler: 'index.handler',
      code: lambda.Code.fromInline(`exports.handler = async (event) => { console.log('event: ', event); return '{"statusCode": 200, "message": "DummyLambdaFunction"}' };`),
      runtime: lambda.Runtime.NODEJS_16_X,
    });

    const dummyLambdaIntegration = new apigateway.LambdaIntegration(
      dummyFn, { passthroughBehavior: apigateway.PassthroughBehavior.WHEN_NO_MATCH }
    );

    const someMethod = api.root.addMethod("GET", dummyLambdaIntegration, {
      authorizer: tokenAuthorizer
    });
  }
}

Validation

import * as cdk from 'aws-cdk-lib';
import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

const app   = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const myValidation = { properties:{ iss: { enum: ['my_trusted_iss'] } }};

new TokenAuthorizerJwtFunction(stack, 'example-stack', {
  tokenAuthorizerOptions: {
    payloadValidationStrategy: {
      strategyName: 'schema',
      schema: JSON.stringify(myValidation)
    },
    verificationStrategy: { strategyName: 'argument',  secret: 'someSecret' }
  }
});

Using JWKS

import * as cdk from 'aws-cdk-lib';
import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

const app   = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

new TokenAuthorizerJwtFunction(stack, 'example-stack', {
  tokenAuthorizerOptions: {
    verificationStrategy: {
      strategyName: 'jwksFromUriByKid',
      uri: 'uri',
      kid: 'kid',
    }
  }
});

Using asymmetric algorithms, e.g. public key

import * as cdk from 'aws-cdk-lib';
import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

const app   = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const myPublicKeyOneliner = '-----BEGIN PUBLIC KEY---\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKuTfz7kpJHPrmcmgx4Xf4GMoM2kK4mh\nMpSOW3qu1zZA1wfMHV8PS0Kds0nXMB6mmHk/Ke1\Et68aEspQRIn1aLcCAwEAAQ==\n-----END PUBLIC KEY-----';

new TokenAuthorizerJwtFunction(stack, 'example-stack', {
  tokenAuthorizerOptions: {
    verificationStrategy: {
      strategyName: 'argument',
      secret: myPublicKeyOneliner
    }
  }
});

Using symmetric algorithms, same key for sign and verify :warning:

Attention: the key might be exposed during deploy, in the runtime etc.

import * as cdk from 'aws-cdk-lib';
import { TokenAuthorizerJwtFunction } from '@cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt';

const app   = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const mySymmetricSecret = 'sharedSecret';

new TokenAuthorizerJwtFunction(stack, 'example-stack', {
  tokenAuthorizerOptions: {
    verificationStrategy: {
      strategyName: 'argument',
      secret: mySymmetricSecret
    }
  }
});

🍻

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Built Distribution

File details

Details for the file cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt-0.0.39.tar.gz.

File metadata

File hashes

Hashes for cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt-0.0.39.tar.gz
Algorithm Hash digest
SHA256 a950e1344ad7ad015bed070d1486f622af81dbef334ffe2243716670a1bca4ff
MD5 64ba91893c1d118215be67904863be13
BLAKE2b-256 9f835537f7d622445ea04e1f5e6aebf1e786e552086db37268e6a212fa0df9f6

See more details on using hashes here.

File details

Details for the file cloudy_with_a_chance_of_meatballs.cdk_lambda_token_authorizer_jwt-0.0.39-py3-none-any.whl.

File metadata

File hashes

Hashes for cloudy_with_a_chance_of_meatballs.cdk_lambda_token_authorizer_jwt-0.0.39-py3-none-any.whl
Algorithm Hash digest
SHA256 840faa25fb7e042cd2a22a4541cecc65c095213df3f49fb9bb19d19ee8f57e95
MD5 bd68fdcae4ef1518f3d219b9161c59b2
BLAKE2b-256 9ed322a729edb946187e0f646f7b3be71fe0c6948fd0ed6a04d3fbab6c6b0889

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page