Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'Unknown authentication strategy "oidc"' in AWS Lambda context #13

Open
kpeters-cbsi opened this issue Feb 17, 2021 · 10 comments
Open

'Unknown authentication strategy "oidc"' in AWS Lambda context #13

kpeters-cbsi opened this issue Feb 17, 2021 · 10 comments

Comments

@kpeters-cbsi
Copy link

I'm submitting this issue for the package(s):

  • oidc-middleware

I'm submitting a:

  • Bug report

Current behavior

I've deployed the Lambda sample app provided by Okta using Serverless Framework. While I can run the app locally, when I run it in Lambda, I get:

Error: Unknown authentication strategy "oidc"
    at attempt (/var/task/node_modules/passport/lib/middleware/authenticate.js:173:37)
    at authenticate (/var/task/node_modules/passport/lib/middleware/authenticate.js:349:7)
    at /var/task/node_modules/@okta/oidc-middleware/src/connectUtil.js:81:28
    at Layer.handle [as handle_request] (/var/task/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/var/task/node_modules/express/lib/router/index.js:317:13)
    at /var/task/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/var/task/node_modules/express/lib/router/index.js:335:12)
    at next (/var/task/node_modules/express/lib/router/index.js:275:10)
    at urlencodedParser (/var/task/node_modules/body-parser/lib/types/urlencoded.js:91:7)
    at Layer.handle [as handle_request] (/var/task/node_modules/express/lib/router/layer.js:95:5)

Expected behavior

When I access my app, I should be redirected to Okta for authentication

Minimal reproduction of the problem with instructions

Deploy my fork of the example with the following .env (properly redacted):

OKTA_ORG_URL=https://dev-69099605.okta.com
APP_SECRET=<application / session secret>
OKTA_CLIENT_ID=<client ID>
OKTA_CLIENT_SECRET=<client secret>
HOST_URL_LAMBDA=https://<my API ID>.execute-api.us-east-1.amazonaws.com
HOST_URL_LOCAL=http://localhost:8080

Extra information about the use case/user story you are trying to implement

This is similar to okta/okta-oidc-js#68, but the solution suggested there, namely invoking app.listen on the oidc.ready event, doesn't work as written in a Lambda context (the listening is being handled by API gateway, which calls the Lambda function with the contents of the HTTP request). I've tried converting the event to a Promise using promise.toolbox.fromEvent, but that causes my Lambda to throw an error.

Environment

  • Package Version: 2.0.0
  • Browser: Firefox
  • OS: Windows 10
  • Node version (node -v): AWS Lambda NodeJS 12.x runtime
  • Other:
@swiftone
Copy link

@kpeters-cbsi - Thanks for the report. Let me check with the team behind that sample repo and see if this issue is better handled there, and I'll report back.

@swiftone
Copy link

@kpeters-cbsi - Unfortunately, I don't have a lot of experience merging oidc-middleware with AWS Lambda (example notwithstanding), but this is what we were able to turn up:

The issue might be the Passport middleware. This might help: jaredhanson/passport#651 (comment) or uploading the node_modules to Lambda: https://stackoverflow.com/questions/34437900/how-to-load-npm-modules-in-aws-lambda

@kpeters-cbsi
Copy link
Author

kpeters-cbsi commented Feb 17, 2021
edited
Loading

Serverless will take care of the NPM modules. So that I can test the Passport hypothesis, what URL should I try to access? The issuer URL (i.e. https://dev-69099605.okta.com/oauth2/default)?

@kpeters-cbsi
Copy link
Author

I can get out with my Lambda, but the issuer URL ( https://dev-69099605.okta.com/oauth2/default) produces a 404.

@swiftone
Copy link

Yes, the issuer URL is the base for various urls that are actually hit. You can see the url use for the authorize call here: https://github.com/okta/okta-oidc-js/blob/master/packages/oidc-middleware/src/connectUtil.js#L76

There are a number of urls that are hit, so the above isn't the exhaustive list, but that should establish if the Passport fix will help you.

@kpeters-cbsi
Copy link
Author

I was able to hit 'https://dev-69099605.okta.com/app/UserHome/oauth2/default/v1/authorize from my Lambda. I don't think it's Passport.

@swiftone
Copy link

Unfortunately that's the most information my team has at the moment - your issue (working from inside AWS Lambda) is outside the scope of this SDK itself.

@kpeters-cbsi
Copy link
Author

kpeters-cbsi commented Feb 19, 2021 via email
edited
Loading

@aarongranick-okta
Copy link
Contributor

@kpeters-cbsi were you able to get this working?

@kpeters-cbsi
Copy link
Author

kpeters-cbsi commented Jun 30, 2021 via email

@denysoblohin-okta denysoblohin-okta transferred this issue from okta/okta-oidc-js Oct 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@swiftone @aarongranick-okta @kpeters-cbsi