Verify JWT Claims using Python with limitations - A real challenge

Question

I trying to decode some JWT tokens using Python 3 and AWS Lambda@Edge.

Here are the limitations and restrictions:

• AWS Lambda@Edge limits the code to be a maximum of 1 MB (zipped). This includes all third party packages
• I must use Firebase's Public PEM Certificate: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

There is a list of libraries available on

One of the problems that I am facing is that there are only two Python libraries on jwt.io which are less than 1MB when zipped: python-jose (573KB) and pyJWT (42KB).

Python-jose accepts PEM certificates to verify JWT claims (works locally, but not on AWS Lambda). Here is the issue: https://github.com/mpdavis/python-jose/issues/133

The solution to the issue with Python-jose which I am experiencing on AWS Lambda is to install the library/package "cryptography", but this package in itself is (3.6MB), which won't work out with AWS Lambda.

The problem with pyJWT is that it does not accept PEM certificates, so another package is required to get that to work, which breaks one of our limits.

So the question and challenge is: How can I verify JWT claims from Firebase tokens in Python 3 without having to install any third party libraries above 1MB in size?

Answer 1

The 1MB limit applies to Viewer Request triggers that execute on every request before CloudFront checks cache or forwards to the origin. If your function is configured as an Origin Request, the code limit is the same as normal Lambda functions: 50MB.

Given that, my recommendation would be to re-evaluate whether you want Viewer vs. Origin request.

See:

• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-how-to-choose-event.html
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-cloudfront-trigger-events.html
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.html#limits-lambda-at-edge

Answer 2

I just answered a similar question. @bimsapi notes about differences between Viewer request and Origin request are valid, but I don't think that would be a best way to handle this kind of problem. It would be best if we could stop unauthorized access before it reaches CloudFront cache. Operating on the CloudFront Origin level would expose our cache to unauthorized clients.

As stated in AWS' blog post:

There are several benefits to using Lambda@Edge for authorization operations. First, performance is improved by running the authorization function using Lambda@Edge closest to the viewer, reducing latency and response time to the viewer request. The load on your origin servers is also reduced by offloading CPU-intensive operations such as verification of JSON Web Token (JWT) signatures. Finally, there are security benefits such as filtering out unauthorized requests before they reach your origin infrastructure.

If so, we still have this problem with either lack of desired algorithms or too big dependencies like cryptography library.

An interesting solution to that was used in this project. Lambda@Edge can just request JWT validation from another API (like this one), which isn't under the same size restrictions as L@E.