Skip to content

Bbao modulized msal #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 33 commits into
base: master
Choose a base branch
from
Open

Bbao modulized msal #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
7d089b2
remove scp check
gao-sun Jan 22, 2020
d65a320
add context object
gao-sun Feb 4, 2020
8492cbe
add yarn.lock
gao-sun Feb 4, 2020
4813e32
Add groups in context
gao-sun Mar 5, 2020
a6c99a9
Adapt for who2 prod claims
gao-sun Apr 28, 2020
bded976
Compatible with AAD author
Jan 19, 2021
e2646d9
Upgrade okta verifier to 2.0.0
Jan 19, 2021
f57c999
Add more debug log while auth failed
Apr 19, 2021
2d5c13b
Add more logging, upgrade okta verifier to 2.1
Apr 19, 2021
54e0501
Bump browserslist from 4.16.4 to 4.16.6
dependabot[bot] May 27, 2021
1f254ff
Merge pull request #2 from scdt-china/dependabot/npm_and_yarn/browser…
gao-sun Jun 9, 2021
cdb7967
Transpile .cn email to .com
gao-sun Jun 9, 2021
5ad50ad
Replace static audience to environment variable
Jul 20, 2021
c6af722
Merge pull request #3 from scdt-china/bbao-master-update-audience
Jul 20, 2021
15af2f2
auth for websocket
guming1020 Nov 23, 2021
79423dc
Make it compatiable to HTTP API gw authorization result
Feb 9, 2022
ea2b611
Let AWS Lambda return 401 instead of 500 when unauthorized
Feb 15, 2022
b2c7dbc
querystring auth for web
guming1020 Feb 18, 2022
9d1d0a7
Upgrade versions
Feb 20, 2022
b4901c6
querystring auth for web
guming1020 Feb 18, 2022
22adab0
Merge branch 'master' into mgu-oauth-websocket
guming1020 Feb 21, 2022
7f24039
Merge pull request #4 from scdt-china/mgu-oauth-websocket
guming1020 Feb 21, 2022
7ab7d37
Bump follow-redirects from 1.13.3 to 1.14.9
dependabot[bot] Feb 21, 2022
6b86397
fixed merge bug
guming1020 Feb 24, 2022
ae46305
Merge pull request #9 from scdt-china/mgu-fixed-merge-bug
baobo5625 Feb 24, 2022
742936b
Merge pull request #8 from scdt-china/dependabot/npm_and_yarn/follow-…
baobo5625 May 7, 2022
5cee0c0
Bump axios from 0.21.1 to 0.21.4
dependabot[bot] May 7, 2022
792aa09
Merge pull request #7 from scdt-china/dependabot/npm_and_yarn/axios-0…
baobo5625 May 7, 2022
8186eae
[Tokens] Split token verification into okta and msal
Jun 15, 2022
5d2747f
Change var to const
Jun 15, 2022
0605d64
Merge pull request #10 from scdt-china/bbao-master-split-okta-and-msa…
baobo5625 Jun 15, 2022
f20bff0
模块化MSAL atuh, 做了Okta fall back auth
Jul 3, 2022
b1e6c87
删除Access Token 记录
Sep 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@ dist
.npmrc
*.swp
.DS_Store
yarn.lock
package-lock.json
6 changes: 5 additions & 1 deletion auth-policy.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ AuthPolicy.prototype = (function() {
* @method build
* @return {Object} The policy object that can be serialized to JSON.
*/
build: function() {
build: function(context = {}) {
if ((!this.allowMethods || this.allowMethods.length === 0) &&
(!this.denyMethods || this.denyMethods.length === 0)) {
throw new Error("No statements defined for the policy");
Expand All @@ -306,6 +306,10 @@ AuthPolicy.prototype = (function() {

policy.policyDocument = doc;

// context which can be passed to the backend
// see https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html
policy.context = context;

return policy;
}
};
Expand Down
95 changes: 32 additions & 63 deletions index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,80 +1,49 @@
/******************************************************/
// Okta lambda authorizer for Amazon API Gateway

require('dotenv').config();
require("dotenv").config();

const OktaJwtVerifier = require('@okta/jwt-verifier');
const VerifyToken = require("./verify-token.js");

/******************************************************/

const oktaJwtVerifier = new OktaJwtVerifier({
issuer: process.env.ISSUER, // required
clientId: process.env.CLIENT_ID, // required
assertClaims: {
aud: process.env.AUDIENCE
}
});

const AuthPolicy = require('./auth-policy');

/******************************************************/

exports.handler = function(event, context) {

var arr = event.authorizationToken.split(" ");
const AuthPolicy = require("./auth-policy");

var access_token = arr[1];

oktaJwtVerifier.verifyAccessToken(access_token)
.then(jwt => {
// the token is valid (per definition of 'valid' above)
console.log(jwt.claims);

var claims = jwt.claims;
const allowAccess = (event, email) => {
var apiOptions = {};
const arnParts = event.methodArn.split(":");
const apiGatewayArnPart = arnParts[5].split("/");
const awsAccountId = arnParts[4];
apiOptions.region = arnParts[3];
apiOptions.restApiId = apiGatewayArnPart[0];
apiOptions.stage = apiGatewayArnPart[1];
const method = apiGatewayArnPart[2];
var resource = "/"; // root resource

console.log('request principal: ' + claims);

var apiOptions = {};
const arnParts = event.methodArn.split(':');
const apiGatewayArnPart = arnParts[5].split('/');
const awsAccountId = arnParts[4];
apiOptions.region = arnParts[3];
apiOptions.restApiId = apiGatewayArnPart[0];
apiOptions.stage = apiGatewayArnPart[1];
const method = apiGatewayArnPart[2];
var resource = '/'; // root resource
if (apiGatewayArnPart[3]) {
resource += apiGatewayArnPart[3];
}

if (apiGatewayArnPart[3]) {
resource += apiGatewayArnPart[3];
}
const policy = new AuthPolicy(
VerifyToken.transpileToComEmail(email),
awsAccountId,
apiOptions
);

var policy = new AuthPolicy(claims.sub, awsAccountId, apiOptions);
/*
removed scp check, see commit log for details
*/

/*
example scope based authorization
policy.allowAllMethods();

to allow full access:
policy.allowAllMethods()
*/
return policy;
};

if (claims.scp.includes('api:read')) {
policy.allowMethod(AuthPolicy.HttpVerb.GET, "*");
}
else if (claims.scp.includes('api:write')) {
policy.allowMethod(AuthPolicy.HttpVerb.POST, "*");
policy.allowMethod(AuthPolicy.HttpVerb.PUT, "*");
policy.allowMethod(AuthPolicy.HttpVerb.PATCH, "*");
policy.allowMethod(AuthPolicy.HttpVerb.DELETE, "*");
}
exports.handler = function (event, context) {
const arr = event.authorizationToken.split(" ");

policy.allowMethod(AuthPolicy.HttpVerb.HEAD, "*");
policy.allowMethod(AuthPolicy.HttpVerb.OPTIONS, "*");
const accessToken = arr[1];

return context.succeed(policy.build());
})
.catch(err => {
return VerifyToken.verifyAccessToken(accessToken, event, context, allowAccess);
};

console.log(err)
return context.fail('Unauthorized');
});
}
Loading