Package Exports
- keycloak-lambda-authorizer
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (keycloak-lambda-authorizer) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Description
Implementation Keycloak adapter for aws Lambda
Features
- validate expiration of JWT token
- validate JWS signature
- supports "clientId/secret" and "client-jwt" credential types
- Role based authorization
- Resource based authorization ( Keycloak Authorization Services )
Installation
npm install keycloak-lambda-authorizer -SExamples
How to use with Aws Lambda Authorizer :
Role Based
import { awsHandler } from 'keycloak-lambda-authorizer';
export function authorizer(event, context, callback) {
const keycloakJSON = ...; // read Keycloak.json
awsHandler(event, keycloakJSON, {
enforce: { enabled: true, role: 'SOME_ROLE' },
}).then((token)=>{
// Success
}).catch((e)=>{
// Failed
});
}Resource Based (Keycloak Authorization Services)
import { awsHandler } from 'keycloak-lambda-authorizer';
export function authorizer(event, context, callback) {
const keycloakJSON = ...; // read Keycloak.json
awsHandler(event, keycloakJSON, {
enforce: {
enabled: true,
resource: {
name: 'SOME_RESOURCE',
uri: 'RESOURCE_URI',
matchingUri: true,
},
},
}).then((token)=>{
// Success
}).catch((e)=>{
// Failed
});
}Configuration
Option structure:
{
"cache":"defaultCache",
"logger":console,
"keys":{
"privateKey":{
"key": privateKey,
"passphrase": 'privateKey passphrase'
},
"publicKey":{
"key": publicKey,
}
},
"enforce":{
"enabled":true,
"resource":{
"name":"SOME_RESOURCE",
"uri":"/test",
"owner":"...",
"type":"...",
"scope":"...",
"matchingUri":false,
"deep":false
},
"resources":[
{
"name":"SOME_RESOURCE1",
"uri":"/test1",
"owner":"...",
"type":"...",
"scope":"...",
"matchingUri":false,
"deep":false
},
{
"name":"SOME_RESOURCE2",
"uri":"/test2",
"owner":"...",
"type":"...",
"scope":"...",
"matchingUri":false,
"deep":false
}
]
}
}
}Resource Structure:
{
"name":"",
"uri":"",
"owner":"",
"type":"",
"scope":"",
"matchingUri":false
}name : unique name of resource
uri : URIs which are protected by resource.
Owner : Owner of resource
type : Type of Resource
scope : The scope associated with this resource.
matchingUri : matching Uri
Change logger
awsHandler(event, keycloakJSON, {
logger:winston,
...
}).then().catch()const winston from 'winston';
import { awsHandler } from 'keycloak-lambda-authorizer';
export function authorizer(event, context, callback) {
const keycloakJSON = ...; // read Keycloak.json
awsHandler(event, keycloakJSON, {
logger:winston
}).then((token)=>{
// Success
}).catch((e)=>{
// Failed
});
}Cache
Example of cache:
const NodeCache = require('node-cache');
const defaultCache = new NodeCache({ stdTTL: 180, checkperiod: 0, errorOnMissing: false });
const resourceCache = new NodeCache({ stdTTL: 30, checkperiod: 0, errorOnMissing: false });
export function put(region, key, value) {
if (region === 'publicKey') {
defaultCache.set(key, value);
} else if (region === 'uma2-configuration') {
defaultCache.set(key, value);
} else if (region === 'client_credentials') {
defaultCache.set(key, value);
} else if (region === 'resource') {
resourceCache.set(key, value);
} else {
throw new Error('Unsupported Region');
}
}
export function get(region, key) {
if (region === 'publicKey') {
return defaultCache.get(key);
} if (region === 'uma2-configuration') {
return defaultCache.get(key);
} if (region === 'client_credentials') {
return defaultCache.get(key);
} if (region === 'resource') {
return resourceCache.get(key);
}
throw new Error('Unsupported Region');
}Cache Regions:
publicKey - Cache for storing Public Keys. (The time to live - 180 sec)
uma2-configuration - uma2-configuration link. example of link http://localhost:8090/auth/realms/lambda-authorizer/.well-known/uma2-configuration (The time to live - 180 sec)
client_credentials - Service Accounts Credential Cache (The time to live - 180 sec).
resource - Resources Cache (The time to live - 30 sec).
Change Cache:
import { awsHandler } from 'keycloak-lambda-authorizer';
export function authorizer(event, context, callback) {
const keycloakJSON = ...; // read Keycloak.json
awsHandler(event, keycloakJSON, {
cache: newCache,
}).then((token)=>{
// Success
}).catch((e)=>{
// Failed
});
}Client Jwt Credential Type
- RSA Keys Structure
{
"privateKey":{
"key":"privateKey",
"passphrase":"privateKey passphrase"
},
"publicKey":{
"key":"publicKey"
}
}privateKey.key - RSA Private Key privateKey.passphrase - word or phrase that protects private key publicKey.key - RSA Public Key or Certificate
RSA keys generation example using openssl
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=lambda-jwks" -keyout server.key -out server.crtCreate JWKS endpoint by AWS API Gateway
- serverless.yaml
functions:
cert:
handler: handler.cert
events:
- http:
path: cert
method: GET- lambda function (handler.cert)
import { jwksUrl } from 'keycloak-lambda-authorizer';
export function cert(event, context, callback) {
const jwksResponse = jwksUrl(publicKey);
callback(null, {
statusCode: 200,
body: jwksResponse,
});
}- Keycloak Settings
Create Api GateWay Authorizer function
import { awsHandler } from 'keycloak-lambda-authorizer';
export function authorizer(event, context, callback) {
const keycloakJSON = ...; // read Keycloak.json
awsHandler(event, keycloakJSON, {
keys:{
privateKey:{
key: privateKey,
},
publicKey:{
key: publicKey,
}
},
enforce: {
enabled: true,
resource: {
name: 'SOME_RESOURCE',
uri: 'RESOURCE_URI',
matchingUri: true,
},
},
}).then((token)=>{
// Success
}).catch((e)=>{
// Failed
});
}