In order to use this solution a configuration document must be generated. Here are two ways that this configuration can be generated:
The configuration CLI is a Python3 script that will automate the generation of the Amazon CloudFront Distribution configuration.
In the CLI Directory there is a CLI utility that will help generate the JSON configuration and then Base64 encode it. This utility will also generated OpenSSL private and public key pairs that are required.
python cli.py \
--client_id client-id \
--client_secret client-secret \
--cloudfront_host cloudfront-host \
--idp_domain_name idp-domain-name \
--idp_name idpThis will produce the following two files in the same directory:
cloudfront_config_rendered.json= this is the rendered configuration file with all of the supplied parameters from the CLI above.encoded_cloudfront_config_rendered.json= this is the key-value pair JSON document with the Base64 encoded JSON document from the first file. It is a key-value pair in the format that this should be stored in AWS Secrets Manager.
Copy the encoded value from encoded_cloudfront_config_rendered.json and move on to the next step.
The decoded JSON configuration document looks like the following:
{
"AUTH_REQUEST": {
"client_id": "${CLIENT_ID_FROM_IDP}",
"response_type": "code",
"scope": "openid email",
"redirect_uri": "https://${CLOUDFRONT_DIST_URL}/_callback"
},
"TOKEN_REQUEST": {
"client_id": "${CLIENT_ID_FROM_IDP}",
"redirect_uri": "https://${CLOUDFRONT_DIST_URL}/_callback",
"grant_type": "authorization_code",
"client_secret": "${CLIENT_SECRET_FROM_OKTA}"
},
"DISTRIBUTION": "amazon-oai",
"AUTHN": "OKTA",
"PRIVATE_KEY": "${PRIVATE_KEY_GOES_HERE}",
"PUBLIC_KEY": "${PUBLIC_KEY_GOES_HERE}",
"DISCOVERY_DOCUMENT": "https://${IDP_DOMAIN_NAME}/.well-known/openid-configuration",
"SESSION_DURATION": 30,
"BASE_URL": "https://${IDP_DOMAIN_NAME}/",
"CALLBACK_PATH": "/_callback",
"AUTHZ": "OKTA"
}In each of the sections above, notice there are key-value pairs. The values that contain ${} must be filled-in and replaced accordingly.
CLIENT_ID_FROM_IDP= This is the Client ID generated from the registered application from the IdP.CLOUDFRONT_DIST_URL= This is the Amazon CloudFront Distribution hostname for the distribution created. This will be in the form ofxyz.cloudfront.net.PRIVATE_KEY_GOES_HERE= This is a private key that is generated using a tool such asopenssl. See the example below for the formatting.PUBLIC_KEY_GOES_HERE= This is a public key that is generated using a tool such asopenssl. See the example below for the formatting.IDP_DOMAIN_NAME= This is the generated host name from the IdP you have selected. An example would bedev-xyz-okta.com.
For an example, the manually-created example document would look like the following:
{
"AUTH_REQUEST": {
"client_id": "abcdefghijklmnop",
"response_type": "code",
"scope": "openid email",
"redirect_uri": "https://xyz.cloudfront.net/_callback"
},
"TOKEN_REQUEST": {
"client_id": "abcdefghijklmnop",
"redirect_uri": "https://xyz.cloudfront.net/_callback",
"grant_type": "authorization_code",
"client_secret": "secretvalue"
},
"DISTRIBUTION": "amazon-oai",
"AUTHN": "IDP",
"PRIVATE_KEY": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEAn9XzZ+C...xzU\n-----END RSA PRIVATE KEY-----\n",
"PUBLIC_KEY": "----BEGIN PUBLIC KEY-----\nMIICIjANBg...AAQ==\n-----END PUBLIC KEY-----\n",
"DISCOVERY_DOCUMENT": "https://idp-generated-hostname/.well-known/openid-configuration",
"SESSION_DURATION": 30,
"BASE_URL": "https://idp-generated-hostname/",
"CALLBACK_PATH": "/_callback",
"AUTHZ": "IDP"
}- Store this JSON document to a file called
configuration.json. - Run the following command:
openssl base64 -in configuration.json -out configuration-encoded.json- Copy the contents of
configuration-encoded.jsonand move on to the next step of updating the AWS Secrets Manager OIDC Secret.
Navigate to Update AWS Secrets Manager for the next step.