Starter kit for providing OpenID Provider(OP) with serverless architectures using AWS Lambda.
Base project of providing OpenID Provider (OP) quickly with Serverless architecture.
You do not need to implement the mechanism of user authentication and data persistence yourself.
Use node-oidc-provider to provide necessary functions as OpenID Provider(OP), and it is highly customizable.
By using Serverless Framework built in the project, you can deploy applications easily and quickly.
Create a table of DynamoDB with id
as HashKey.
If it does not exist, or if you want to use a new user pool, create a Cognito User Pool.
Add an application client that enabled ADMIN_NO_SRP_AUTH
to the created User Pool.
Notice
User management is out of scope. Please manage users with console and various SDK.
$ git clone [email protected]:AKIRA-MIYAKE/serverless-oidc-provider.git
$ cd serverless-oidc-provider
cp .env.sample .env
Update the following items with your values.
OIDC_ISSURE
- URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
SECURE_KEYS
- Signed cookie keys for koa app.
AWS_ACCOUNT_ID
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION
AWS_DYNAMODB_TABLE_NAME
- Name of table created in preparation.
AWS_COGNITO_USER_POOL_ID
- Id of User Pool created in preparation.
AWS_COGNITO_USER_POOL_CLIENT_ID
- Id of Client of User Pool created in preparation.
$ ENV_FILE=.env docker-compose build
$ ENV_FILE=.env docker-compose run --rm serverless npm install
$ ENV_FILE=.env docker-compose run --rm serverless npm run generate-keys
The basic settings are defined in the src/app/oidc/setting.js
. Change according to the situation.
For details, check node-oidc-provider: Configuration.
The interaction sample is defined in the src/app/oidc/actions/interaction.js
and src/app/oidc/views
. Please customize the views etc.
The setting of AWS is src/services/oidc-provider/serverless.yml
. Change each item if necessary.
$ ENV_FILE=.env docker-compose run --rm serverless npm run deploy
This project provide sample lambda function for use with Custom Authorizer of API Gateway on src/services/authorize
.
It is a Custom Authorizer that uses introspection endpoint of RFC7662: OAuth 2.0 Token Introspection.
Of course, you can also use the introspection endpoint provided by node-oidc-provider.
Please see src/app/authorize
for details.
And, src/services/sample
is a sample of APIs protected by that Custom Authorizer.