Comments (13)
It seems like a great approach to me. I'll work on tackling that and let you know if I run into other issues. Thank you!
from cloudfront-authorization-at-edge.
@ottokruse, this is something I'm looking at possibly tackling for the project. Would you be able to provide more detail around the "Using Cognito client secret"? In my testing so far the original validation still works with a non-SPA application, but I may be misunderstanding the requirement. Thank you!
from cloudfront-authorization-at-edge.
Great to hear you're willing to work on this.
More info:
The Cognito User Pool client should be created with a client secret. Then when interacting with the Cognito endpoints from Lambda@Edge, the client secret must be provided using HTTP basic auth. Read more about this here:
- https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
- https://forums.aws.amazon.com/message.jspa?messageID=820844
TL;DR - adds a bit of extra security. Attackers also need the client secret to be able to sign-in programmatically.
Does that help?
from cloudfront-authorization-at-edge.
Sure does @ottokruse. I'll see what I can come up with here. Thanks!
from cloudfront-authorization-at-edge.
Hey @ottokruse. I started working through the branch and am currently at the step to pass in the ClientSecret to the configuration values. Ran into an issue however, it appears that this value is not obtainable except through Console or CLI invocation at this time. https://forums.aws.amazon.com/thread.jspa?messageID=800824
Curious if you have any preferences for how you would like to move forward with the implementation?
from cloudfront-authorization-at-edge.
Ah, that's annoying!
We could extract the client secret with a custom resource. We can change an existing custom resource to this end: src/cfn-custom-resources/user-pool-client/index.ts
On line 47 in that file, the user pool client is updated. That call returns a.o. the client secret, that we could export in the Data on line 50.
Guess that would be the most pragmatic way to solve this. What do you think?
from cloudfront-authorization-at-edge.
Hey @ottokruse, another question about the client secret. Wouldn't this be something that should be implemented in both cases (SPA/Non-SPA) if it's an extra level of security? It seems like if we have it for one we'd want it for both.
If that's the case should we make that a separate PR from the SPA/Non-SPA designation to keep things clean?
from cloudfront-authorization-at-edge.
It is related actually. In SPA mode, we want to enable the SPA to make requests against Cognito (to e.g. sign-out or refresh tokens). Since the SPA is JavaScript running in the Browser, it can't use a client secret (technically it could, but it wouldn't be a secret would it, and just adds complexity).
from cloudfront-authorization-at-edge.
Ahhh, yes that makes sense. Ok I'll keep it all as part of a single PR.
from cloudfront-authorization-at-edge.
Almost ready to submit the PR, just have a couple of design questions for you @ottokruse:
-
I'm currently turning off the DefaultRootObject if we're in NonSPAMode, which results in an error when trying to poll the root. Should we add an option to specify the DefaultRootObject that the user would desire?
-
When in NonSPAMode I'm turning off the ReactApp and ReactAppHandler resources. Do we want to load a separate sample application in its place? Or just leave it up to the user to populate the empty bucket?
Thanks! Looking forward to getting this in place.
from cloudfront-authorization-at-edge.
Great to hear it's nearly there!
Would be good I guess to in non-SPA mode prepopulate the bucket with an index.html file only that shows some banner content like "Welcome! Please replace me with your own files", and some explanation on what to do.
Then we can leave the default root object to index.html
Think that will actually be clearest to most users. The "error" you refer to (1) is not really an error it's just the result of the ListBucket operation, which CloudFront does if you go to "/" and no default root object defined (there is something to say for this too, but I think most users will think something is wrong).
Agreed?
You can steal from the ReactApp custom resource if you want, for the prepopulation of the S3 bucket.
from cloudfront-authorization-at-edge.
Agreed. I think that makes a lot of sense. I'll make those updates and get the PR in asap. Thanks again.
from cloudfront-authorization-at-edge.
Fixed by #42
from cloudfront-authorization-at-edge.
Related Issues (20)
- CloudFormation did not receive a response from your Custom Resource HOT 19
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) HOT 2
- Refresh issue after token expires HOT 8
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.