Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Authentication Plugin for Caddy v2 implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication

Stars: ✭ 291 (-38.22%)

Mutual labels: authentication, jwt, oauth2, openid-connect

Supertokens Core

Open source alternative to Auth0 / Firebase Auth / AWS Cognito

Stars: ✭ 2,907 (+517.2%)

Mutual labels: authentication, oauth2, login, auth0

Fosite

Extensible security first OAuth 2.0 and OpenID Connect SDK for Go.

Stars: ✭ 1,738 (+269%)

Mutual labels: authentication, oauth2, authorization, openid-connect

Auth

Authenticator via oauth2

Stars: ✭ 118 (-74.95%)

Mutual labels: authentication, jwt, oauth2, login

Spring Security React Ant Design Polls App

Full Stack Polls App built using Spring Boot, Spring Security, JWT, React, and Ant Design

Stars: ✭ 1,336 (+183.65%)

Mutual labels: authentication, jwt, authorization, login

Assent

Multi-provider framework in Elixir

Stars: ✭ 126 (-73.25%)

Mutual labels: google, oauth2, openid-connect, auth0

View All Similar Projects ➔

Google Apps (G Suite), Microsoft Azure AD, GitHub, OKTA, Auth0, Centrify authentication for CloudFront using [email protected]. The original use case for cloudfront-auth was to serve private S3 content over HTTPS without running a proxy server in EC2 to authenticate requests; but cloudfront-auth can be used authenticate requests of any Cloudfront origin configuration.

Description

Upon successful authentication, a cookie (named TOKEN) with the value of a signed JWT is set and the user redirected back to the originally requested path. Upon each request, [email protected] checks the JWT for validity (signature, expiration date, audience and matching hosted domain) and will redirect the user to configured provider's login when their session has timed out.

Usage

If your CloudFront distribution is pointed at a S3 bucket, configure origin access identity so S3 objects can be stored with private permissions. (Origin access identity requires the S3 ACL owner be the account owner. Use our s3-object-owner-monitor Lambda function if writing objects across multiple accounts.)

Enable SSL/HTTPS on your CloudFront distribution; AWS Certificate Manager can be used to provision a no-cost certificate.

Session duration is defined as the number of hours that the JWT is valid for. After session expiration, cloudfront-auth will redirect the user to the configured provider to re-authenticate. RSA keys are used to sign and validate the JWT. If the files id_rsa and id_rsa.pub do not exist they will be automatically generated by the build. To disable all issued JWTs upload a new ZIP using the Lambda Console after deleting the id_rsa and id_rsa.pub files (a new key will be automatically generated).

Identity Provider Guides

Github

Clone or download this repo
Navigate to your organization's profile page, then choose OAuth Apps under Developer settings.
1. Select New OAuth App
2. For Authorization callback URL enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: https://my-cloudfront-site.example.com/_callback
Execute ./build.sh in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
1. Choose Github as the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Session Duration and Organization
  - cloudfront-auth will check that users are a member of the entered Organization.
Upload the resulting zip file found in your distribution folder using the AWS Lambda console and jump to the configuration step

Google

Clone or download this repo
Go to the Credentials tab of your Google developers console
1. Create a new Project
2. Create an OAuth Client ID from the Create credentials menu
3. Select Web application for the Application type
4. Under Authorized redirect URIs, enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: https://my-cloudfront-site.example.com/_callback
Execute ./build.sh in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
Choose Google as the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Hosted Domain and Session Duration
Select the preferred authentication method
1. Hosted Domain (verify email's domain matches that of the given hosted domain)
2. JSON Email Lookup
  1. Enter your JSON Email Lookup URL (example below) that consists of a single JSON array of emails to search through
3. Google Groups Lookup
  1. Use Google Groups to authorize users
Upload the resulting zip file found in your distribution folder using the AWS Lambda console and jump to the configuration step

Microsoft Azure

Clone or download this repo
In your Azure portal, go to Azure Active Directory and select App registrations
1. Create a new application registration with an application type of Web app / api
2. Once created, go to your application Settings -> Keys and make a new key with your desired duration. Click save and copy the value. This will be your client_secret
3. Above where you selected Keys, go to Reply URLs and enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: https://my-cloudfront-site.example.com/_callback
Execute ./build.sh in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
Choose Microsoft as the authorization method and enter the values for Tenant, Client ID (Application ID), Client Secret (previously created key), Redirect URI and Session Duration
Select the preferred authentication method
1. Azure AD Membership (default)
2. JSON Username Lookup
  1. Enter your JSON Username Lookup URL (example below) that consists of a single JSON array of usernames to search through
Upload the resulting zip file found in your distribution folder using the AWS Lambda console and jump to the configuration step

OKTA

Clone or download this repo
Sign in to OKTA with your administrator account and navigate to the Applications tab.
Add Application
1. Select the Web application type
2. Base URI: CloudFront distribution domain name (https://{cf-endpoint}.cloudfront.net)
3. Login Redirect URI: CloudFront distribution domain name with callback path (https://{cf-endpoint}.cloudfront.net/_callback)
4. Group Assignments: Optional
5. Grant Type Allowed: Authorization Code
6. Done
Gather the following information for Lambda configuration
1. Client Id and Client Secret from the application created in our previous step (can be found at the bottom of the general tab)
2. Base Url
  1. This is named the 'Org URL' and can be found in the top right of the Dashboard tab.
Execute ./build.sh in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
Choose OKTA as the authorization method and enter the values for Base URL (Org URL), Client ID, Client Secret, Redirect URI, and Session Duration
Upload the resulting zip file found in your distribution folder using the AWS Lambda console and jump to the configuration step

Auth0

Clone or download this repo
Go to the Dashboard of your Auth0 admin page
1. Click New Application
2. Select Regular Web App and click Create.
3. Now select an application type and follow the steps for 'Quick Start' or use your own app.
4. Go to application Settings and enter required details. In Allowed Callback URLs enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: https://my-cloudfront-site.example.com/_callback
Execute ./build.sh in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
Choose AUTH0 as the authorization method and enter the values for Base URL (Auth0 Domain), Client ID, Client Secret, Redirect URI, and Session Duration
Upload the resulting zip file found in your distribution folder using the AWS Lambda console and jump to the configuration step

Centrify

Clone or download this repo
Go to the Dashboard of your Centrify admin page
1. Click Web Apps from the LHS.
2. Click Add Web App and select the Custom Tab.
3. Add an OpenID Connect webapp and click Yes to confirm.
Fill in naming and logo information and then switch to the Trust tab.
Enter service provider information. In Authorized Redirect URIs enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: https://my-cloudfront-site.example.com/_callback
Execute ./build.sh in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
Choose CENTRIFY as the authorization method and enter the values for Base URL (Centrify Resource application URL), Client ID, Client Secret, Redirect URI, and Session Duration (which is available from the Tokens tab).
Upload the resulting zip file found in your distribution folder using the AWS Lambda console and jump to the configuration step

OKTA Native

Clone or download this repo
Sign in to OKTA with your administrator account and navigate to the Applications tab.
Add Application
1. Select the Native application type
2. Base URI: CloudFront distribution domain name (https://{cf-endpoint}.cloudfront.net)
3. Login Redirect URI: CloudFront distribution domain name with callback path (https://{cf-endpoint}.cloudfront.net/_callback)
4. Group Assignments: Optional
5. Grant Type Allowed: Authorization Code
6. Done
Gather the following information for Lambda configuration
1. Client Id from the application created in our previous step (can be found at the bottom of the general tab)
2. Base Url
  1. This is named the 'Org URL' and can be found in the top right of the Dashboard tab.
Execute ./build.sh in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
Choose OKTA Native as the authorization method and enter the values for Base URL (Org URL), Client ID, PKCE Code Verifier Length, Redirect URI, and Session Duration
Upload the resulting zip file found in your distribution folder using the AWS Lambda console and jump to the configuration step

Configure Lambda and CloudFront

Manual Deployment or AWS SAM Deployment

Authorization Method Examples

Use Google Groups to authorize users

JSON array of email addresses

[ "[email protected]", "[email protected]" ]

Testing

Detailed instructions on testing your function can be found in the Wiki.

Build Requirements

npm ^5.6.0
node ^10.0
openssl

Contributing

All contributions are welcome. Please create an issue in order open up communication with the community.

When implementing a new flow or using an already implemented flow, be sure to follow the same style used in build.js. The config.json file should have an object for each request made. For example, openid.index.js converts config.AUTH_REQUEST and config.TOKEN_REQUEST to querystrings for simplified requests (after adding dynamic variables such as state or nonce). For implementations that are not generic (most), endpoints are hardcoded in to the config (or discovery documents).

Be considerate of our limitations. The zipped function can be no more than 1MB in size and execution cannot take longer than 5 seconds, so we must pay close attention to the size of our dependencies and complexity of operations.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 471

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (34) 🔗