3

I'm trying to implement authorization in my cloudfront distribution. It has worked so far until I ran into size limitation. I'm now running into the cloudfront error message Max allowed: 1048576, which is roughly ~1MB. But after installing the authlib package the total size is around 6MB. My method for validating tokens look roughly like this:

from authlib.jose import JsonWebToken

jwk = get_jwk()
claims_options = {
    "iss": {"essential": True, "value": ISSUER},
    "aud": {"essential": True, "value": AUDIENCE}
}
jwt = JsonWebToken()
claims = jwt.decode(token, jwk, claims_options=claims_options)
claims.validate()

The whole thing works beautifully until the size limitation.

My ideas to get around this are:

  1. Find another package than authlib that is smaller/more efficient.
  2. Write my own code which validates hash signature of JWT (get around the need for authlib package).
  3. Write the Lambda in javascript to leverage the NodeJSfunction, which according to docs are efficient in packaging the lambda. In the hopes of that its enough.

Perhaps there are more alternatives, but these are the ones I could come up with which are desirable in descending order. Requesting assistance on either of these options or perhaps totally different solution.

Frankster
  • 653
  • 7
  • 26
  • I think your question is too broad. Questions that ask for general guidance regarding a problem approach are typically are not a good fit for this site. Split your task into smaller ones and start working on them. And ask particular questions related to particular issues you encounter. Here's how: [how-to-ask](https://stackoverflow.com/help/how-to-ask) – itprorh66 Jan 17 '23 at 00:36

2 Answers2

1

The problem with authlib package is that a significant part of its size is cryptography dependency, which has compiled dependencies on its own. Here are few thought on how it can be approached.

Solution with less dependencies

One option to consider is trying out a more lightweight package like pyjwt. According to the documentation, pyjwt requires cryptography dependency if you want to encode or decode tokens using certain digital signature algorithms like RSA or ECDSA. This means that with a lightweight version of pyjwt (without cryptography dependency) you can use the HS256 algorithm, but not RSA or ECDSA. Without cryptography, pyjwt library should be below size limit.

I’m not an cryptography expert, but as I understand HS256-based JWT could be subject to a brute force or a dictionary attack. Therefore, it is recommended to use RS256 or ES256 algorithms instead, which are possible only with cryptography.

Solution with delegating jwt decoding to a different API

An interesting solution on how to use recommended algorithm is shown in this repository, where Lambda@Edge simply makes a request to another API that does not have such harsh limit on its size and can use cryptography without compromising security.

Another way to delegate jwt decoding would be to invoke a separate Lambda function. Current size quotas for a standard Lambda's deployment package is 50 MB for zipped archive and 250 MB for unzipped package, so you can easily use cryptography with authlib or pyjwt there. Please mind that invoking Lambda this way would be synchronous. You probably would also have to add "lambda:InvokeFunction" permission.

import json
from boto3 import client as boto3_client

lambda_client = boto3_client('lambda')

def lambda_handler(event, context):
    # ...
    response = lambda_client.invoke(
        FunctionName="another_lambda_",
        InvocationType='Event', # or 'RequestResponse' for sync request/response
        Payload=json.dumps(your_payload)
    )
    # ...
Pawel Kam
  • 1,684
  • 3
  • 14
  • 30
  • Turns out the pyjwt only added up to 50KB of additional packages. PyJWT therefore seems much more of a lightweight library. – Frankster Jan 20 '23 at 10:09
  • However, with the cryptography library the size went back up to 6MB. Need to look elsewhere for a solution. – Frankster Jan 20 '23 at 19:01
  • 1
    As I said, if you need `cryptography` dependency just delegate heavy lifting to another API, like in the second solution. – Pawel Kam Jan 20 '23 at 19:43
  • @Frankster I expanded the second solution by adding an exaple how to delegate jwt encoding/decoding to a standard Lambda function. – Pawel Kam Jan 21 '23 at 15:55
0

The python-jose module is small enough to be packaged into < 1MB function for Lambda@Edge. It has its own python-native implementation of RSA etc therefore does not require the cryptography dependency

Andy
  • 1