-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question about Origins #23
Comments
Hi @picosam ! Great to hear this is of use to you.
Let me know if this clears things up. |
Thank you very much @ottokruse, your response is clear and I believe your description was as well; I guess I just assumed incorrectly there was more to Your code is not only of use but very valuable to us: we're going to be using it to protect our Test and Staging environments, hence the need to use our own CloudFront Distributions. You do confirm that we can easily spin-off multiple SPA Distrubtions/Buckets without the lambda@edge functions being redeployed every time, right? The thing is that (and I'm going to try and look into that today) I'll have to have a different User Pool for each "set" of Test/Staging environments though, to prevent different protected resources from being accessed by users who shouldn't be seeing them. |
Great to hear that! "You do confirm that we can easily spin-off multiple SPA Distrubtions/Buckets without the lambda@edge functions being redeployed every time, right?" In the sample solution the userPoolId and such is added into the Lambda@Edge functions (configuration.json). So if you need to use different user pools you need different Lamda@Edge functions. You can of course change the code, then you can do whatever. The Lambda@Edge functions are configuration-wise not aware of the bucket they protect, nor of the CloudFront distribution they are used in. So you can re-use the Lambda@Edge functions for multiple S3 buckets/CloudFront distributions. |
Ok, so I deployed with a pretty complex distribution and it all does work as intended :-)
Does that statement stand even relative to the redirect URLs after signing in/out? |
The Lambda@Edge functions are aware of e.g. the special paths (signin/signout/parseauth/refreshauth), but not of the host (domain name) on which they are running. They grab the hostname from the incoming "Host" http header. So as long as your CloudFront distributions use the same special paths, you could reuse the Lambda@Edge functions. |
BTW maybe you could solve your use case more easily by having one user pool, but putting the users in that pool into separate groups. Then, implement some sort of mapping between group and allowed origin. This will require you to change the Lambda@Edge code a bit, but having one user pool might be nicer, as users who are in multiple groups then only have to sign in once. Update: excuse me, reading back I think you were going in this direction already. |
Thank you! Yes, this is exactly what I'm trying to do: have one user pool -- except I thought I would need to create a different App Client per CloudFront distribution. What's stopping me is the following:
as it seems that the App Client ID is being saved "within" each lambda function and I'm looking for how to have that be "dynamic" somehow. Again, thanks a lot for all this help. |
Yeah probably implement some kind of mapping between domain names, groups and client id's.
That'll be some fun coding, enjoy :) |
Great. If you don't mind, I'm going to ask someone who works with me to contribute via pull requests. |
Sure! Great. Shall we close this issue for now? |
Thanks a lot for such a complete and useful work! When looking at the example of reusing auth with my own Cloudfront distribution, I see the following:
Are we supposed to replace
example.org
andexample.com
there with other values? Also, are we supposed to add our own S3 Bucket where we'll be deploying our SPA?Thanks again,
Sammy
The text was updated successfully, but these errors were encountered: