feat(oidc): add oidc support #50
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
LGTM, move OIDC to separate module under |
joli-sys
approved these changes
Jun 2, 2025
joli-sys
reviewed
Jun 18, 2025
variables.tf
Outdated
| } | ||
|
|
||
| variable "oidc" { | ||
| description = "Seznam OIDC providerů" |
joli-sys
reviewed
Jun 18, 2025
| const [value, signature] = session.split('.'); | ||
| console.log('Edge Lambda - Session cookie parts - Value:', value, 'Signature:', signature); | ||
|
|
||
| // Pokud je providerKey přítomen, validujeme jen pro konkrétního providera |
joli-sys
reviewed
Jun 18, 2025
| // Pokud máme session cookie, zkusíme ji validovat | ||
| if (session) { | ||
| console.log('Edge Lambda - Found session cookie:', session); | ||
| // Kontrola formátu session cookie (měla by být ve formátu value.signature) |
joli-sys
reviewed
Jun 18, 2025
| console.log('Edge Lambda - No cookie header present or not an array'); | ||
| } | ||
|
|
||
| // Pokud máme session cookie, zkusíme ji validovat |
joli-sys
reviewed
Jun 18, 2025
joli-sys
approved these changes
Jun 19, 2025
\# Example
1. Create OIDC app
just for the reference, gitlab_application is server wide and not ideal for use e.g. on gitlab.com, there's no support for the group applications
```tf
resource "gitlab_application" "fridges_list" {
name = "gitlab-app"
redirect_url = "www.example.com"
scopes = [
"openid",
"read_user",
"profile",
"email",
]
}
```
2. use module
```tf
module "static_site" {
source = "cookielab/static-site/aws"
version = "4.9.0"
providers = {
aws = aws
aws.us_east_1 = aws.vir
}
domains = ["www.exmaple.com"]
domain_zone_id = "aws_route53_zone.example_com.zone_id"
s3_bucket_name = "example-com-web"
gitlab_project_id = data.gitlab_project.app_fridges_list.id
gitlab_environment = var.environment
enable_deploy_role = true
enable_deploy_user = false
oidc = [
{ # first oidc provider
application_name = "gitlab"
application_id = gitlab_application.gitlab_application.application_id
client_secret = gitlab_application.gitlab_application.secret
auth_url = "https://gitlab.com/oauth/authorize"
token_url = "https://gitlab.com/oauth/token"
},
{ # second oidc provider
application_name = "second"
application_id = "second-oidc-app-id"
client_secret = "second-oidc-client-secret"
auth_url = "https://another-oidc-provicer.example.com/oauth/authorize"
token_url = "https://another-oidc-provicer.example.com/oauth/token"
}
]
```
Then https://www.example.com/?auth=APPLICATION_NAME forces auth with specified provider, e.g.:
- https://www.example.com/?auth=gitlab
- https://www.example.com/?auth=second
This is messy. Perhaps we can get along with a single OIDC auth for the application or if no session cookie is present redirect to a url hosted on s3 bucket with constructed html from the oidc list.
```
<h1>Choose authentication method</h1>
<ul>
<li>
<a href=/?auth=gitlab>gitlab</a>
</li>
<li>
<a href=/?auth=second>gitlab</a>
</li>
</ul>
```
fmt
cleanup
review: update lambda engine version nodejs18.x -> nodejs22.x
replace apigateway with lambda_function_url
update docs + fix duplicate blocks of outdated documentation due to missing BEGIN_TF_DOCS comment
review
parametrize session_duration per provider, fix cookie domain
comment sensitive log messages in lambdas
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Notes
The OIDC applications need to be setup in advance
the oidc applications are configured via module's
oidcvariable - list of objects. Multiple oidc applications can be provided, you can select which provider to authenticate by appending ?auth=PROVIDER_NAME to urlchanges to the original main module:
new resources:
aws_cloudfront_cache_policy.oidcaws_cloudfront_origin_request_policy.oidcchanged blocks:
custom_error_responseinaws_cloudfront_distribution.thisis now conditionaly removed if oidc is enabled, to prevent serving content on errordefault_cache_behaviorinaws_cloudfront_distribution.thisconditionally enables forwarding all cookies if oidc is enabledadded blocks:
originfor api gateway inaws_cloudfront_distribution.this- dynamically created if oidc is enabledlambda_function_associationinaws_cloudfront_distribution.thisdynamically created if oidc is enabled for edge lambda handling redirects to oidc providerordered_cache_behaviorinaws_cloudfront_distribution.this- dynamically created if oidc is enabled, configuring /callback route to point to api gateway origin handling with callbacksExample
Then https://www.example.com/?auth=APPLICATION_NAME forces auth with specified provider, e.g.:
This is messy. Perhaps we can get along with a single OIDC auth for the application. Or constructed html file from the oidc list, put it on S3 and redirect if no session cookie is present: