Home

Awesome

LambdAuth

Join the chat at https://gitter.im/danilop/LambdAuth

Note:

A sample authentication service implemented with a server-less architecture, using AWS Lambda to host and execute the code and Amazon DynamoDB as persistent storage. This provides a cost-efficient solution that is scalable and highly available.

The authentication can be used with Amazon Cognito to assume an Authenticated Role via Developer Authenticated Identities.

The basic functions implemented are:

Passwords are not saved in clear in the database, but "salted" (via HMAC-SHA1) using a dedicated, random salt for each password.

Amazon SES is used to send all emails.

The login function is calling in the backend GetOpenIdTokenForDeveloperIdentity, a Cognito API to register (or retrieve) the IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process.

A sample implementation can be found at http://lambdauth.danilop.net.

License

Copyright (c) 2015 Danilo Poccia, http://danilop.net

This code is licensed under the The MIT License (MIT). Please see the LICENSE file that accompanies this project for the terms of use.

Installation

A sample installation script using Bash (init.sh) is provided to install and configure all necessary resources in your AWS account:

The init.sh script requires a configured AWS Command Line Interface (CLI) and the jq tool. The script is designed to be non destructive, so you can run it again (e.g. if you delete a role) without affecting the other resources.

Before running the init.sh script, set up your configuration in the config.json file:

{
  "AWS_ACCOUNT_ID": "123412341234",
  "CLI_PROFILE": "default",
  "REGION": "eu-west-1",
  "BUCKET": "bucket",
  "MAX_AGE": "10",
  "CRYPTO_BYTE_SIZE": 128,
  "DDB_TABLE": "LambdAuthUsers",
  "IDENTITY_POOL_NAME": "LambdAuth",
  "DEVELOPER_PROVIDER_NAME": "login.mycompany.myapp",
  "EXTERNAL_NAME": "My Authentication",
  "EMAIL_SOURCE": "email@example.com",
  "VERIFICATION_PAGE": "http://bucket.s3.amazonaws.com/verify.html",
  "RESET_PAGE": "http://bucket.s3.amazonaws.com/reset.html"
}

At the end of the init.sh script, you can start creating users pointing your browser to:

http://bucket.s3.amazonaws.com/index.html (replacing bucket with your bucket name)

As an optional step, you may want to configure Amazon S3 for Website Hosting and use Amazon CloudFront to distribute the static content.

A sample deployment script using Bash (deploy.sh) is provided to update the AWS Lambda functions and the sample HTML pages on the Amazon S3 bucket.

Usage

Sample HTML pages are provided to showcase how to use this framework with a JavaScript application:

The same use cases can be implemented on a Mobile device using the AWS Mobile SDK.

APIs

The APIs are exposed as AWS Lambda Functions:

FunctionInputOutput
LambdAuthCreateUseremail, passwordcreated: true / false
LambdAuthVerifyUseremail, verifyverified: true / false
LambdAuthLoginemail, passwordlogin: true / false, identityId, token
LambdAuthChangePasswordemail, oldPassword, newPasswordchanged: true / false
LambdAuthLostPasswordemailsent: true / false
LambdAuthResetPasswordemail, lost, passwordchanged: true / false