Updating jwks handling.

.github/workflows/deploy-api-dev.yaml

@@ -78,8 +78,9 @@ jobs:
           AZURE_OIDC_URL: ${{ secrets.AZURE_OIDC_URL }}
           COGNITO_CALLBACK_URLS: ${{ vars.COGNITO_CALLBACK_URLS }}
           ALLOW_ORIGIN: ${{ vars.ALLOW_ORIGIN }}
+          JWKS: ${{ secrets.JWKS }}
         run: |
-          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "DataRegisterEndpoint=$DATA_REGISTER_ENDPOINT" "DataRegisterApiKey=$DATA_REGISTER_API_KEY" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL" "CognitoCallbackURLs=$COGNITO_CALLBACK_URLS" "Environment=dev"
+          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "DataRegisterEndpoint=$DATA_REGISTER_ENDPOINT" "DataRegisterApiKey=$DATA_REGISTER_API_KEY" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL" "CognitoCallbackURLs=$COGNITO_CALLBACK_URLS" "Jwks=$JWKS" "Environment=dev"
 
       # - shell: bash
       #   env:

.github/workflows/deploy-api-prod.yaml

@@ -84,8 +84,9 @@ jobs:
           AZURE_APP_SECRET: ${{ secrets.AZURE_APP_SECRET }}
           AZURE_OIDC_URL: ${{ secrets.AZURE_OIDC_URL }}
           ALLOW_ORIGIN: ${{ vars.ALLOW_ORIGIN }}
+          JWKS: ${{ secrets.JWKS }}
         run: |
-          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL"
+          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL" "Jwks=$JWKS"
 
       # - shell: bash
       #   env:

.github/workflows/deploy-api-test.yaml

@@ -87,8 +87,9 @@ jobs:
           AZURE_APP_SECRET: ${{ secrets.AZURE_APP_SECRET }}
           AZURE_OIDC_URL: ${{ secrets.AZURE_OIDC_URL }}
           ALLOW_ORIGIN: ${{ vars.ALLOW_ORIGIN }}
+          JWKS: ${{ secrets.JWKS }}
         run: |
-          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL"
+          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL" "Jwks=$JWKS"
 
       # - shell: bash
       #   env:

handlers/authorizer/index.js

@@ -2,6 +2,8 @@ const { logger } = require('/opt/base');
 const TABLE_NAME = process.env.TABLE_NAME;
 const jwt = require('jsonwebtoken');
 const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
+const jwkToPem = require('jwk-to-pem');
+const crypto = require('crypto');
 
 exports.handler = async function (event, context, callback) {
   console.log(event);
@@ -103,6 +105,8 @@ function validateToken(token) {
   console.log('kid:', kid);
 
   // search for the kid in the downloaded public keys
+  const keys = JSON.stringify(process.env.JWKS);
+
   let keyIndex = -1;
   for (let i = 0; i < keys.length; i++) {
     if (kid === keys[i].kid) {

template.yaml

@@ -65,6 +65,8 @@ Parameters:
   InstanceType:
     Type: String
     Default: 't3.small.search'
+  Jwks:
+    Type: String
   KMSKeyId:
     Type: String
     Default: 'arn:aws:kms:ca-central-1:637423314715:alias/aws/es'
@@ -362,6 +364,7 @@ Resources:
           COGNITO_APP_CLIENT_ID: !Ref CognitoUserPoolClient
           TABLE_NAME: !Ref TableName
           STAGE_NAME: !Ref Stage
+          JWKS: !Ref Jwks
 
   SearchFunction:
     FunctionName: SearchFunction