DEV Community: Akhan Zhakiyanov The latest articles on DEV Community by Akhan Zhakiyanov (@ahanoff). https://dev.to/ahanoff https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1367300%2F2dd90e5d-5b84-487b-a44e-07913c85efb1.png DEV Community: Akhan Zhakiyanov https://dev.to/ahanoff en Serverless OAuth2/OIDC server with OpenIddict 6 and RDS Aurora v2 Akhan Zhakiyanov Tue, 24 Dec 2024 09:30:00 +0000 https://dev.to/aws-builders/serverless-oauth2oidc-server-with-openiddict-6-and-rds-aurora-v2-4113 https://dev.to/aws-builders/serverless-oauth2oidc-server-with-openiddict-6-and-rds-aurora-v2-4113 <p>With the recent announcement of <a href="https://kevinchalet.com/2024/12/17/openiddict-6-0-general-availability/" rel="noopener noreferrer">OpenIddict 6</a> and <a href="https://aws.amazon.com/blogs/database/introducing-scaling-to-0-capacity-with-amazon-aurora-serverless-v2/" rel="noopener noreferrer">AWS Aurora Serverless v2's new scaling to zero capability</a>, we have a perfect opportunity to build a cost-effective, serverless OAuth2/OpenID Connect server.</p> <p>This setup will leverage AWS Lambda for compute and Aurora v2 PostgreSQL for storage, providing enterprise-grade security and scalability while maintaining optimal cost efficiency and only incurring cost when actually in use.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffu49iae5zlqdbb2fjzre.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffu49iae5zlqdbb2fjzre.png" alt="openiddict-serverless-with-aurora-v2-architecture" width="800" height="315"></a></p> <p>Let's start by creating a new solution for our OAuth2/OIDC server.</p> <h2> Prerequisites </h2> <p>Make sure you have the following tools installed:</p> <ul> <li><a href="https://dotnet.microsoft.com/en-us/download/dotnet/9" rel="noopener noreferrer">.NET 9 SDK</a></li> <li> <a href="https://aws.amazon.com/cli/" rel="noopener noreferrer">AWS CLI</a> and AWS programmatic credentials</li> <li> <a href="https://www.pulumi.com/docs/get-started/install/" rel="noopener noreferrer">Pulumi</a> to provision AWS infrastructure</li> </ul> <h3> ECR repository </h3> <p>Since AWS Lambda container image does not support other registries than ECR, we need to create an ECR repository and push a container image to it prior to lambda function creation.</p> <p>You can create an ECR repository manually with AWS CLI or using Pulumi:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// index.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">awsx</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@pulumi/awsx</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prefix</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">openiddict6-serverless</span><span class="dl">"</span> <span class="kd">const</span> <span class="nx">repository</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">awsx</span><span class="p">.</span><span class="nx">ecr</span><span class="p">.</span><span class="nc">Repository</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-ecr-repository`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`openiddict6-serverless`</span><span class="p">,</span> <span class="na">imageTagMutability</span><span class="p">:</span> <span class="dl">'</span><span class="s1">IMMUTABLE</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr create-repository <span class="nt">--repository-name</span> openiddict6-serverless </code></pre> </div> <h2> OpenIddict 6 with ASP.NET Lambda hosting </h2> <blockquote> <p>Target framework is still .NET 8, because we are going to utilize <code>public.ecr.aws/lambda/dotnet:8</code> for our Lambda container image.</p> </blockquote> <p>Let's create a new solution called <code>OpenIddict.Serverless</code> and add a new ASP.NET API project to it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet new sln <span class="nt">-n</span> OpenIddict.Serverless dotnet new webapi <span class="nt">-n</span> OpenIddict.Serverless.AuroraV2 <span class="nt">-f</span> net8.0 dotnet sln add OpenIddict.Serverless.AuroraV2/OpenIddict.Serverless.AuroraV2.csproj </code></pre> </div> <p>Next, we need to add the necessary packages to our project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet add OpenIddict.Serverless.AuroraV2/OpenIddict.Serverless.AuroraV2.csproj package OpenIddict.AspNetCore <span class="c"># OpenIddict ASP.NET Core integration</span> dotnet add OpenIddict.Serverless.AuroraV2/OpenIddict.Serverless.AuroraV2.csproj package OpenIddict.EntityFrameworkCore <span class="c"># OpenIddict EntityFrameworkCore integration</span> dotnet add OpenIddict.Serverless.AuroraV2/OpenIddict.Serverless.AuroraV2.csproj package Npgsql.EntityFrameworkCore.PostgreSQL <span class="c"># PostgreSQL provider</span> dotnet add OpenIddict.Serverless.AuroraV2/OpenIddict.Serverless.AuroraV2.csproj package Microsoft.EntityFrameworkCore.Design <span class="c"># to generate migrations</span> dotnet add OpenIddict.Serverless.AuroraV2/OpenIddict.Serverless.AuroraV2.csproj package Amazon.Lambda.AspNetCoreServer.Hosting <span class="c"># to host the API in AWS Lambda environment</span> </code></pre> </div> <p>OpenIddict 6 uses EF Core for its database migrations, so we need to add a DbContext to our project. This DbContext will be associated with OpenIddict's EF configuration.</p> <blockquote> <p>Altough not required, we are using <code>Guid</code> as a primary key type for OpenIddict entities.<br> <a href="https://documentation.openiddict.com/integrations/entity-framework-core#use-a-custom-primary-key-type" rel="noopener noreferrer">https://documentation.openiddict.com/integrations/entity-framework-core#use-a-custom-primary-key-type</a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// OpenIddictDbContext.cs</span> <span class="k">using</span> <span class="nn">Microsoft.EntityFrameworkCore</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">OpenIddict.Serverless.AuroraV2</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">OpenIddictDbContext</span> <span class="p">:</span> <span class="n">DbContext</span> <span class="p">{</span> <span class="k">public</span> <span class="nf">OpenIddictDbContext</span><span class="p">()</span> <span class="p">{</span> <span class="p">}</span> <span class="k">public</span> <span class="nf">OpenIddictDbContext</span><span class="p">(</span><span class="n">DbContextOptions</span><span class="p">&lt;</span><span class="n">OpenIddictDbContext</span><span class="p">&gt;</span> <span class="n">options</span><span class="p">)</span> <span class="p">:</span> <span class="k">base</span><span class="p">(</span><span class="n">options</span><span class="p">)</span> <span class="p">{</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">override</span> <span class="k">void</span> <span class="nf">OnConfiguring</span><span class="p">(</span><span class="n">DbContextOptionsBuilder</span> <span class="n">optionsBuilder</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(!</span><span class="n">optionsBuilder</span><span class="p">.</span><span class="n">IsConfigured</span><span class="p">)</span> <span class="p">{</span> <span class="n">optionsBuilder</span><span class="p">.</span><span class="nf">UseNpgsql</span><span class="p">();</span> <span class="n">optionsBuilder</span><span class="p">.</span><span class="n">UseOpenIddict</span><span class="p">&lt;</span><span class="n">Guid</span><span class="p">&gt;();</span> <span class="c1">// https://documentation.openiddict.com/integrations/entity-framework-core#use-a-custom-primary-key-type</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">...</span> <span class="c1">// appsettings.json </span> <span class="p">{</span> <span class="s">"ConnectionStrings"</span><span class="p">:</span> <span class="p">{</span> <span class="s">"OpenIddictDbContext"</span><span class="p">:</span> <span class="s">"Host=localhost;Username=openiddict;Password=password;Database=openiddict"</span> <span class="p">}</span> <span class="p">...</span> <span class="p">}</span> <span class="p">...</span> <span class="c1">// Program.cs</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddDbContext</span><span class="p">&lt;</span><span class="n">OpenIddictDbContext</span><span class="p">&gt;(</span><span class="n">o</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">o</span><span class="p">.</span><span class="nf">UseNpgsql</span><span class="p">(</span><span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">.</span><span class="nf">GetConnectionString</span><span class="p">(</span><span class="s">"OpenIddictDbContext"</span><span class="p">));</span> <span class="n">o</span><span class="p">.</span><span class="n">UseOpenIddict</span><span class="p">&lt;</span><span class="n">Guid</span><span class="p">&gt;();</span> <span class="c1">// https://documentation.openiddict.com/integrations/entity-framework-core#use-a-custom-primary-key-type</span> <span class="p">});</span> </code></pre> </div> <p>Once we have the DbContext, we can generate OpenIddict database migrations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet ef migrations add AddOpenIddict6 <span class="nt">--context</span> OpenIddictDbContext </code></pre> </div> <p>After that the only thing left is to add OpenIddict server configuration to our project. </p> <p>For demo purposes we will use ephemeral singning and encryption keys, use client credentials flow and disable HTTPS requirement.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Program.cs</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddOpenIddict</span><span class="p">()</span> <span class="p">.</span><span class="nf">AddCore</span><span class="p">(</span><span class="n">o</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">o</span><span class="p">.</span><span class="nf">UseEntityFrameworkCore</span><span class="p">()</span> <span class="p">.</span><span class="n">UseDbContext</span><span class="p">&lt;</span><span class="n">OpenIddictDbContext</span><span class="p">&gt;()</span> <span class="p">.</span><span class="n">ReplaceDefaultEntities</span><span class="p">&lt;</span><span class="n">Guid</span><span class="p">&gt;();</span> <span class="c1">// https://documentation.openiddict.com/integrations/entity-framework-core#use-a-custom-primary-key-type</span> <span class="p">})</span> <span class="p">.</span><span class="nf">AddServer</span><span class="p">(</span><span class="n">o</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">o</span><span class="p">.</span><span class="nf">SetTokenEndpointUris</span><span class="p">(</span><span class="s">"connect/token"</span><span class="p">);</span> <span class="n">o</span><span class="p">.</span><span class="nf">AllowClientCredentialsFlow</span><span class="p">();</span> <span class="n">o</span><span class="p">.</span><span class="nf">AddEphemeralEncryptionKey</span><span class="p">()</span> <span class="p">.</span><span class="nf">AddEphemeralSigningKey</span><span class="p">();</span> <span class="n">o</span><span class="p">.</span><span class="nf">UseAspNetCore</span><span class="p">()</span> <span class="p">.</span><span class="nf">DisableTransportSecurityRequirement</span><span class="p">()</span> <span class="c1">// disable HTTPs because we plan to use lambda with HTTP API Gateway</span> <span class="p">.</span><span class="nf">EnableTokenEndpointPassthrough</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Authorization controller </h3> <blockquote> <p><a href="https://documentation.openiddict.com/guides/getting-started/creating-your-own-server-instance" rel="noopener noreferrer">https://documentation.openiddict.com/guides/getting-started/creating-your-own-server-instance</a></p> </blockquote> <p>Authorization controller implementation has been copied from the <a href="https://documentation.openiddict.com/guides/getting-started/creating-your-own-server-instance" rel="noopener noreferrer">OpenIddict documentation</a> to simplify the setup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System.Security.Claims</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.IdentityModel.Tokens</span><span class="p">;</span> <span class="k">using</span> <span class="nn">OpenIddict.Abstractions</span><span class="p">;</span> <span class="k">using</span> <span class="nn">OpenIddict.Server.AspNetCore</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">OpenIddict.Serverless.AuroraV2.Controllers</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">AuthorizationController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IOpenIddictApplicationManager</span> <span class="n">_applicationManager</span><span class="p">;</span> <span class="k">public</span> <span class="nf">AuthorizationController</span><span class="p">(</span><span class="n">IOpenIddictApplicationManager</span> <span class="n">applicationManager</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="n">_applicationManager</span> <span class="p">=</span> <span class="n">applicationManager</span><span class="p">;</span> <span class="p">[</span><span class="nf">HttpPost</span><span class="p">(</span><span class="s">"~/connect/token"</span><span class="p">),</span> <span class="nf">Produces</span><span class="p">(</span><span class="s">"application/json"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">Exchange</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">request</span> <span class="p">=</span> <span class="n">HttpContext</span><span class="p">.</span><span class="nf">GetOpenIddictServerRequest</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="nf">IsClientCredentialsGrantType</span><span class="p">())</span> <span class="p">{</span> <span class="c1">// Note: the client credentials are automatically validated by OpenIddict:</span> <span class="c1">// if client_id or client_secret are invalid, this action won't be invoked.</span> <span class="kt">var</span> <span class="n">application</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_applicationManager</span><span class="p">.</span><span class="nf">FindByClientIdAsync</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">ClientId</span><span class="p">)</span> <span class="p">??</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">InvalidOperationException</span><span class="p">(</span><span class="s">"The application cannot be found."</span><span class="p">);</span> <span class="c1">// Create a new ClaimsIdentity containing the claims that</span> <span class="c1">// will be used to create an id_token, a token or a code.</span> <span class="kt">var</span> <span class="n">identity</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ClaimsIdentity</span><span class="p">(</span><span class="n">TokenValidationParameters</span><span class="p">.</span><span class="n">DefaultAuthenticationType</span><span class="p">,</span> <span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Claims</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Claims</span><span class="p">.</span><span class="n">Role</span><span class="p">);</span> <span class="c1">// Use the client_id as the subject identifier.</span> <span class="n">identity</span><span class="p">.</span><span class="nf">SetClaim</span><span class="p">(</span><span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Claims</span><span class="p">.</span><span class="n">Subject</span><span class="p">,</span> <span class="k">await</span> <span class="n">_applicationManager</span><span class="p">.</span><span class="nf">GetClientIdAsync</span><span class="p">(</span><span class="n">application</span><span class="p">));</span> <span class="n">identity</span><span class="p">.</span><span class="nf">SetClaim</span><span class="p">(</span><span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Claims</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="k">await</span> <span class="n">_applicationManager</span><span class="p">.</span><span class="nf">GetDisplayNameAsync</span><span class="p">(</span><span class="n">application</span><span class="p">));</span> <span class="n">identity</span><span class="p">.</span><span class="nf">SetDestinations</span><span class="p">(</span><span class="k">static</span> <span class="n">claim</span> <span class="p">=&gt;</span> <span class="n">claim</span><span class="p">.</span><span class="n">Type</span> <span class="k">switch</span> <span class="p">{</span> <span class="c1">// Allow the "name" claim to be stored in both the access and identity tokens</span> <span class="c1">// when the "profile" scope was granted (by calling principal.SetScopes(...)).</span> <span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Claims</span><span class="p">.</span><span class="n">Name</span> <span class="k">when</span> <span class="n">claim</span><span class="p">.</span><span class="n">Subject</span><span class="p">.</span><span class="nf">HasScope</span><span class="p">(</span><span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Permissions</span><span class="p">.</span><span class="n">Scopes</span><span class="p">.</span><span class="n">Profile</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">[</span><span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Destinations</span><span class="p">.</span><span class="n">AccessToken</span><span class="p">,</span> <span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Destinations</span><span class="p">.</span><span class="n">IdentityToken</span><span class="p">],</span> <span class="c1">// Otherwise, only store the claim in the access tokens.</span> <span class="n">_</span> <span class="p">=&gt;</span> <span class="p">[</span><span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Destinations</span><span class="p">.</span><span class="n">AccessToken</span><span class="p">]</span> <span class="p">});</span> <span class="k">return</span> <span class="nf">SignIn</span><span class="p">(</span><span class="k">new</span> <span class="nf">ClaimsPrincipal</span><span class="p">(</span><span class="n">identity</span><span class="p">),</span> <span class="n">OpenIddictServerAspNetCoreDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">);</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">NotImplementedException</span><span class="p">(</span><span class="s">"The specified grant is not implemented."</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Publish OpenIddict 6 Lambda container image to ECR </h3> <blockquote> <p><a href="https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#images-reqs" rel="noopener noreferrer">https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#images-reqs</a><br> Lambda provides multi-architecture base images. However, the image you build for your function must target only one of the architectures. Lambda does not support functions that use multi-architecture container images.</p> </blockquote> <p>Below is a Dockerfile that allows us to build image either for <code>arm64</code> or <code>x86_64</code> architecture.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Dockerfile</span> <span class="k">FROM</span><span class="w"> </span><span class="s">--platform=$BUILDPLATFORM public.ecr.aws/lambda/dotnet:8</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">base</span> <span class="k">FROM</span><span class="w"> </span><span class="s">--platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">build</span> <span class="k">ARG</span><span class="s"> TARGETARCH</span> <span class="k">WORKDIR</span><span class="s"> /src</span> <span class="k">COPY</span><span class="s"> ["OpenIddict.Serverless.AuroraV2.csproj", "./"]</span> <span class="k">RUN </span>dotnet restore <span class="nt">--arch</span> <span class="nv">$TARGETARCH</span> <span class="s2">"OpenIddict.Serverless.AuroraV2.csproj"</span> <span class="k">WORKDIR</span><span class="s"> "/src/OpenIddict.Serverless.AuroraV2"</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>dotnet build <span class="nt">--arch</span> <span class="nv">$TARGETARCH</span> <span class="s2">"OpenIddict.Serverless.AuroraV2.csproj"</span> <span class="nt">--configuration</span> Release <span class="nt">--output</span> /app/build <span class="k">FROM</span><span class="w"> </span><span class="s">build</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">publish</span> <span class="k">RUN </span>dotnet publish <span class="s2">"OpenIddict.Serverless.AuroraV2.csproj"</span> <span class="se">\ </span> <span class="nt">--configuration</span> Release <span class="se">\ </span> <span class="nt">--arch</span> <span class="nv">$TARGETARCH</span> <span class="se">\ </span> <span class="nt">--output</span> /app/publish <span class="se">\ </span> <span class="nt">-p</span>:PublishReadyToRun<span class="o">=</span><span class="nb">true</span> <span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">final</span> <span class="k">WORKDIR</span><span class="s"> /var/task</span> <span class="k">COPY</span><span class="s"> --from=publish /app/publish .</span> <span class="k">CMD</span><span class="s"> ["OpenIddict.Serverless.AuroraV2"]</span> </code></pre> </div> <p>Login to ECR before building and pushing the image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># login to ECR</span> aws ecr get-login-password <span class="nt">--region</span> ap-southeast-1 | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> <span class="nv">$ECR_REPOSITORY_URL</span> </code></pre> </div> <p>Make sure to replace <code>$ECR_REPOSITORY_URL</code> with the actual URL of your ECR repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># build and push amd64 image</span> docker build <span class="nt">--platform</span> linux/amd64 <span class="nt">-t</span> <span class="nv">$ECR_REPOSITORY_URL</span>:1.0.0-amd64 <span class="nb">.</span> docker push <span class="nv">$ECR_REPOSITORY_URL</span>:1.0.0-amd64 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># build and push arm64 image</span> docker build <span class="nt">--platform</span> linux/arm64 <span class="nt">-t</span> <span class="nv">$ECR_REPOSITORY_URL</span>:1.0.0-arm64 <span class="nb">.</span> docker push <span class="nv">$ECR_REPOSITORY_URL</span>:1.0.0-arm64 </code></pre> </div> <h2> Infrastructure setup with Pulumi </h2> <blockquote> <pre class="highlight shell"><code>Error: fork/exec /lambda-entrypoint.sh: <span class="nb">exec </span>format error Runtime.InvalidEntrypoint </code></pre> <p>In this example we are using <code>arm64</code> architecture for the Lambda function.<br> Make sure lambda architecture matches the architecture of the container image you are using. Otherwise you will get <code>Runtime.InvalidEntrypoint</code> error.</p> </blockquote> <p>Let's create the remaining AWS infrastructure using Pulumi.</p> <p>This setup will create a VPC with public, private and isolated subnets, security groups for both the database and Lambda function, and an Aurora Serverless v2 cluster with scaling to zero configuration. </p> <p>The Lambda function will be configured to use the VPC and security groups, and an HTTP API Gateway will be created to expose the OAuth2/OIDC server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// index.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">pulumi</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@pulumi/pulumi</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">aws</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@pulumi/aws</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">awsx</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@pulumi/awsx</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ManagedPolicy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@pulumi/aws/iam</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nc">Config</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">dbClusterMasterPassword</span> <span class="o">=</span> <span class="nx">config</span><span class="p">.</span><span class="nf">requireSecret</span><span class="p">(</span><span class="dl">"</span><span class="s2">db-cluster-master-password</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">prefix</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">openiddict6-serverless</span><span class="dl">"</span> <span class="c1">// created previously</span> <span class="kd">const</span> <span class="nx">repository</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">awsx</span><span class="p">.</span><span class="nx">ecr</span><span class="p">.</span><span class="nc">Repository</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-ecr-repository`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">imageTagMutability</span><span class="p">:</span> <span class="dl">'</span><span class="s1">IMMUTABLE</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">awsx</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-vpc`</span><span class="p">,</span> <span class="p">{</span> <span class="na">cidrBlock</span><span class="p">:</span> <span class="dl">"</span><span class="s2">10.0.0.0/16</span><span class="dl">"</span><span class="p">,</span> <span class="na">numberOfAvailabilityZones</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">natGateways</span><span class="p">:</span> <span class="p">{</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Single</span><span class="dl">'</span> <span class="p">},</span> <span class="na">enableDnsHostnames</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableDnsSupport</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">subnetStrategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Auto</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetSpecs</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">awsx</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">Private</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">private</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">awsx</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">Public</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">public</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">awsx</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">Isolated</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">isolated</span><span class="dl">"</span><span class="p">,</span> <span class="p">}</span> <span class="p">],</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-vpc`</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">dbSecurityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-db-sg`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-db-sg`</span><span class="p">,</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Security group for Aurora database</span><span class="dl">"</span><span class="p">,</span> <span class="na">ingress</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">protocol</span><span class="p">:</span> <span class="dl">"</span><span class="s2">tcp</span><span class="dl">"</span><span class="p">,</span> <span class="na">fromPort</span><span class="p">:</span> <span class="mi">5432</span><span class="p">,</span> <span class="na">toPort</span><span class="p">:</span> <span class="mi">5432</span><span class="p">,</span> <span class="na">cidrBlocks</span><span class="p">:</span> <span class="p">[</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">cidrBlock</span><span class="p">],</span> <span class="p">},</span> <span class="p">],</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-db-sg`</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">dbSubnetGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">rds</span><span class="p">.</span><span class="nc">SubnetGroup</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-db-subnet-group`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-db-subnet-group`</span><span class="p">,</span> <span class="na">subnetIds</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">isolatedSubnetIds</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-db-subnet-group`</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">dbCluster</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">rds</span><span class="p">.</span><span class="nc">Cluster</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-aurora-v2`</span><span class="p">,</span> <span class="p">{</span> <span class="na">engine</span><span class="p">:</span> <span class="dl">"</span><span class="s2">aurora-postgresql</span><span class="dl">"</span><span class="p">,</span> <span class="na">engineVersion</span><span class="p">:</span> <span class="dl">"</span><span class="s2">16.4</span><span class="dl">"</span><span class="p">,</span> <span class="na">databaseName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openiddict</span><span class="dl">"</span><span class="p">,</span> <span class="na">masterUsername</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openiddict</span><span class="dl">"</span><span class="p">,</span> <span class="na">masterPassword</span><span class="p">:</span> <span class="nx">dbClusterMasterPassword</span><span class="p">,</span> <span class="na">serverlessv2ScalingConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">minCapacity</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="c1">// Can scale to zero</span> <span class="na">maxCapacity</span><span class="p">:</span> <span class="mi">1</span> <span class="c1">// Max 0.5 ACU</span> <span class="p">},</span> <span class="na">skipFinalSnapshot</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">vpcSecurityGroupIds</span><span class="p">:</span> <span class="p">[</span><span class="nx">dbSecurityGroup</span><span class="p">.</span><span class="nx">id</span><span class="p">],</span> <span class="na">dbSubnetGroupName</span><span class="p">:</span> <span class="nx">dbSubnetGroup</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">replicationSourceIdentifier</span><span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="na">copyTagsToSnapshot</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">storageEncrypted</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">allowMajorVersionUpgrade</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">writerInstance</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">rds</span><span class="p">.</span><span class="nc">ClusterInstance</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-aurora-v2-writer`</span><span class="p">,</span> <span class="p">{</span> <span class="na">clusterIdentifier</span><span class="p">:</span> <span class="nx">dbCluster</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">instanceClass</span><span class="p">:</span> <span class="dl">'</span><span class="s1">db.serverless</span><span class="dl">'</span><span class="p">,</span> <span class="na">engine</span><span class="p">:</span> <span class="dl">"</span><span class="s2">aurora-postgresql</span><span class="dl">"</span><span class="p">,</span> <span class="na">engineVersion</span><span class="p">:</span> <span class="dl">"</span><span class="s2">16.4</span><span class="dl">"</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-aurora-v2-writer`</span><span class="p">,</span> <span class="na">Role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">writer</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">readerInstance</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">rds</span><span class="p">.</span><span class="nc">ClusterInstance</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-aurora-v2-reader`</span><span class="p">,</span> <span class="p">{</span> <span class="na">clusterIdentifier</span><span class="p">:</span> <span class="nx">dbCluster</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">instanceClass</span><span class="p">:</span> <span class="dl">'</span><span class="s1">db.serverless</span><span class="dl">'</span><span class="p">,</span> <span class="na">engine</span><span class="p">:</span> <span class="dl">"</span><span class="s2">aurora-postgresql</span><span class="dl">"</span><span class="p">,</span> <span class="na">engineVersion</span><span class="p">:</span> <span class="dl">"</span><span class="s2">16.4</span><span class="dl">"</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-aurora-v2-reader`</span><span class="p">,</span> <span class="na">Role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">reader</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">lambdaSecurityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-lambda-sg`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-lambda-sg`</span><span class="p">,</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Security group for Lambda function</span><span class="dl">"</span><span class="p">,</span> <span class="na">egress</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">protocol</span><span class="p">:</span> <span class="dl">"</span><span class="s2">-1</span><span class="dl">"</span><span class="p">,</span> <span class="na">fromPort</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">toPort</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">cidrBlocks</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">0.0.0.0/0</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">],</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-lambda`</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">lambdaRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-lambda-role`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-lambda-role`</span><span class="p">,</span> <span class="na">managedPolicyArns</span><span class="p">:</span> <span class="p">[</span> <span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nx">AWSLambdaBasicExecutionRole</span> <span class="p">],</span> <span class="na">assumeRolePolicy</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="na">Statement</span><span class="p">:</span> <span class="p">[{</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sts:AssumeRole</span><span class="dl">"</span><span class="p">,</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Principal</span><span class="p">:</span> <span class="p">{</span> <span class="na">Service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lambda.amazonaws.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}],</span> <span class="p">}),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">lambdaVpcPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">iam</span><span class="p">.</span><span class="nc">RolePolicy</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-lambda-role-policy`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-lambda-role-policy`</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">lambdaRole</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="na">Statement</span><span class="p">:</span> <span class="p">[{</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">ec2:CreateNetworkInterface</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ec2:DescribeNetworkInterfaces</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ec2:DeleteNetworkInterface</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ec2:DescribeInstances</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ec2:AttachNetworkInterface</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="na">Resource</span><span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="p">}],</span> <span class="p">}),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">lambdaFunction</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-lambda`</span><span class="p">,</span> <span class="p">{</span> <span class="na">packageType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Image</span><span class="dl">"</span><span class="p">,</span> <span class="na">imageUri</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">interpolate</span><span class="s2">`</span><span class="p">${</span><span class="nx">repository</span><span class="p">.</span><span class="nx">url</span><span class="p">}</span><span class="s2">:1.0.0-arm64`</span><span class="p">,</span> <span class="na">architectures</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">arm64</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// imageUri: pulumi.interpolate`${repository.url}:1.0.0-amd64`,</span> <span class="na">architectures</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">x86_64</span><span class="dl">'</span><span class="p">],</span> <span class="na">role</span><span class="p">:</span> <span class="nx">lambdaRole</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">memorySize</span><span class="p">:</span> <span class="mi">1024</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">variables</span><span class="p">:</span> <span class="p">{</span> <span class="na">ConnectionStrings__OpenIddictDbContext</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">interpolate</span><span class="s2">`Host=</span><span class="p">${</span><span class="nx">dbCluster</span><span class="p">.</span><span class="nx">endpoint</span><span class="p">}</span><span class="s2">;Username=openiddict;Password=</span><span class="p">${</span><span class="nx">dbClusterMasterPassword</span><span class="p">}</span><span class="s2">;Database=openiddict`</span> <span class="p">},</span> <span class="p">},</span> <span class="na">vpcConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetIds</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">privateSubnetIds</span><span class="p">,</span> <span class="na">securityGroupIds</span><span class="p">:</span> <span class="p">[</span><span class="nx">lambdaSecurityGroup</span><span class="p">.</span><span class="nx">id</span><span class="p">],</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">apigatewayv2</span><span class="p">.</span><span class="nc">Api</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-http-api`</span><span class="p">,</span> <span class="p">{</span> <span class="na">protocolType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">HTTP</span><span class="dl">"</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="nx">lambdaFunction</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">lambdaPermission</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">lambda</span><span class="p">.</span><span class="nc">Permission</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-api-lambda-permission`</span><span class="p">,</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lambda:InvokeFunction</span><span class="dl">"</span><span class="p">,</span> <span class="na">function</span><span class="p">:</span> <span class="nx">lambdaFunction</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">principal</span><span class="p">:</span> <span class="dl">"</span><span class="s2">apigateway.amazonaws.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">sourceArn</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">interpolate</span><span class="s2">`</span><span class="p">${</span><span class="nx">api</span><span class="p">.</span><span class="nx">executionArn</span><span class="p">}</span><span class="s2">/*/*`</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">integration</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">apigatewayv2</span><span class="p">.</span><span class="nc">Integration</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-api-lambda-integration`</span><span class="p">,</span> <span class="p">{</span> <span class="na">apiId</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">integrationType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS_PROXY</span><span class="dl">"</span><span class="p">,</span> <span class="na">integrationUri</span><span class="p">:</span> <span class="nx">lambdaFunction</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="na">integrationMethod</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ANY</span><span class="dl">"</span><span class="p">,</span> <span class="na">payloadFormatVersion</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2.0</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">dbEndpoint</span> <span class="o">=</span> <span class="nx">dbCluster</span><span class="p">.</span><span class="nx">endpoint</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">apiEndpoint</span> <span class="o">=</span> <span class="nx">api</span><span class="p">.</span><span class="nx">apiEndpoint</span><span class="p">;</span> </code></pre> </div> <p>After running <code>pulumi up</code> you will get <code>apiEndpoint</code> to test the OAuth2/OIDC server.</p> <h2> Testing </h2> <h3> Database migrations </h3> <blockquote> <p>Since Aurora Serverless v2 cluster is in isolated subnets, as a workaround we will create a new API method that will be used to apply database migrations and seed demo client.<br> This is done for demo purposes only.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// DbController.cs</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc</span><span class="p">;</span> <span class="k">using</span> <span class="nn">OpenIddict.Abstractions</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">OpenIddict.Serverless.AuroraV2.Controllers</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">DbController</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IOpenIddictApplicationManager</span> <span class="n">_applicationManager</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">OpenIddictDbContext</span> <span class="n">_dbContext</span><span class="p">;</span> <span class="k">public</span> <span class="nf">DbController</span><span class="p">(</span><span class="n">IOpenIddictApplicationManager</span> <span class="n">applicationManager</span><span class="p">,</span> <span class="n">OpenIddictDbContext</span> <span class="n">dbContext</span><span class="p">)</span> <span class="p">{</span> <span class="n">_applicationManager</span> <span class="p">=</span> <span class="n">applicationManager</span><span class="p">;</span> <span class="n">_dbContext</span> <span class="p">=</span> <span class="n">dbContext</span><span class="p">;</span> <span class="p">}</span> <span class="c1">/// &lt;summary&gt;</span> <span class="c1">/// For demo purpose only</span> <span class="c1">/// This API needs to be called before trying to obtain access token with OAuth2 flows</span> <span class="c1">/// It ensures that database is created, db migrations are applied, and seeds demo client</span> <span class="c1">/// &lt;/summary&gt;</span> <span class="c1">/// &lt;param name="ct"&gt;&lt;/param&gt;</span> <span class="c1">/// &lt;returns&gt;&lt;/returns&gt;</span> <span class="p">[</span><span class="nf">HttpPost</span><span class="p">(</span><span class="s">"/seed-database"</span><span class="p">),</span> <span class="nf">Produces</span><span class="p">(</span><span class="s">"application/json"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">SeedDatabaseAsync</span><span class="p">(</span><span class="n">CancellationToken</span> <span class="n">ct</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_dbContext</span><span class="p">.</span><span class="n">Database</span><span class="p">.</span><span class="nf">EnsureCreatedAsync</span><span class="p">(</span><span class="n">ct</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="k">await</span> <span class="n">_applicationManager</span><span class="p">.</span><span class="nf">FindByClientIdAsync</span><span class="p">(</span><span class="s">"serverless-demo"</span><span class="p">,</span> <span class="n">ct</span><span class="p">)</span> <span class="k">is</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_applicationManager</span><span class="p">.</span><span class="nf">CreateAsync</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictApplicationDescriptor</span> <span class="p">{</span> <span class="n">ClientId</span> <span class="p">=</span> <span class="s">"serverless-demo"</span><span class="p">,</span> <span class="n">ClientSecret</span> <span class="p">=</span> <span class="s">"serverless-demo-secret"</span><span class="p">,</span> <span class="n">Permissions</span> <span class="p">=</span> <span class="p">{</span> <span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Permissions</span><span class="p">.</span><span class="n">Endpoints</span><span class="p">.</span><span class="n">Token</span><span class="p">,</span> <span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Permissions</span><span class="p">.</span><span class="n">GrantTypes</span><span class="p">.</span><span class="n">ClientCredentials</span> <span class="p">}</span> <span class="p">},</span> <span class="n">ct</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">CreatedResult</span><span class="p">(</span><span class="s">"/seed-database"</span><span class="p">,</span> <span class="k">new</span> <span class="p">{</span> <span class="n">clientId</span> <span class="p">=</span> <span class="s">"serverless-demo"</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Testing Lambda function locally </h3> <p>Codebase provides a <code>docker-compose.yml</code> file to test the Lambda function locally.<br> Since Lambda function is configured to use HTTP API Gateway as a trigger, we need to create a request payload that matches the API Gateway request format.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up <span class="nt">--build</span> <span class="nt">-d</span> <span class="nt">--wait</span><span class="p">;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">----------------------------------------"</span> curl <span class="nt">-X</span> POST <span class="s2">"http://0.0.0.0:5085/2015-03-31/functions/function/invocations"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"version":"2.0","routeKey":"$default","rawPath":"/seed-database","headers":{},"requestContext":{"accountId":"123456789012","apiId":"api-id","domainName":"id.execute-api.us-east-1.amazonaws.com","domainPrefix":"id","http":{"method":"POST","path":"/seed-database","protocol":"HTTP/1.1","sourceIp":"192.168.0.1/32","userAgent":"agent"},"requestId":"id","routeKey":"$default","stage":"$default","time":"12/Mar/2020:19:03:58 +0000","timeEpoch":1583348638390},"body":"","isBase64Encoded":false}'</span><span class="p">;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">----------------------------------------"</span> curl <span class="nt">-X</span> POST <span class="s2">"http://0.0.0.0:5085/2015-03-31/functions/function/invocations"</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/json'</span> <span class="nt">-d</span> <span class="s1">'{"version":"2.0","routeKey":"$default","rawPath":"/connect/token","headers":{"Content-Type":"application/x-www-form-urlencoded","Accept":"application/json","Host":"localhost:5085"},"requestContext":{"http":{"method":"POST","path":"/connect/token"}},"body":"grant_type=client_credentials&amp;client_id=serverless-demo&amp;client_secret=serverless-demo","isBase64Encoded":false}'</span><span class="p">;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">----------------------------------------"</span> docker-compose down </code></pre> </div> <h3> Testing with HTTP API Gateway </h3> <p>Make sure to replace <code>&lt;api-id&gt;</code> and <code>&lt;region&gt;</code> with your actual API Gateway ID and region.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="s2">"https://&lt;api-id&gt;.execute-api.&lt;region&gt;.amazonaws.com/seed-database"</span> <span class="c"># response example</span> <span class="o">{</span> <span class="s2">"clientId"</span>: <span class="s2">"serverless-demo"</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">----------------------------------------"</span> curl <span class="nt">-X</span> POST <span class="s2">"https://&lt;api-id&gt;.execute-api.&lt;region&gt;.amazonaws.com/connect/token"</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/x-www-form-urlencoded"</span> <span class="nt">-d</span> <span class="s2">"grant_type=client_credentials&amp;client_id=serverless-demo&amp;client_secret=serverless-demo-secret"</span> <span class="c"># response example</span> <span class="o">{</span> <span class="s2">"access_token"</span>: <span class="s2">"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOiJJOE9QU09XSFNHVlZTNlRUVjhOS1FLU1ZIVUctVy1XTVhfVTUxR0QtIiwidHlwIjoiYXQrand0IiwiY3R5IjoiSldUIn0.P0aL3MBvyJGaVqy7XXOd1EFbzM8GzT3s695GKUsYZJKkSGALWtyByAB4AO1diIMlC8ZNo2n78PXJkOYToVDgY55wm9f7OekmDiEw6WINvtWldCc8XmNYcBFGSZP-4NLaViKRz1Dl5VI8MpgJmUpapSOIiiLdrLkHFX3pTp-lGSHVmYWl7KJou-DlCUJtPkF12WgU74_BLhNbhNbFDrne4-8zn014VSL53uUY9uM-YDqGDxKIG-_ujVbWePyPmjhV97S45hBHyEqj1eAe8tqkmQYrriIRIp-jeKNogDaW21V-QEaU6GAqsBFzWwMRRN9LEFbGBwKJdFngC1sVmgXKog.Sm7zoG6VP0kgRlgeQJo3kw.IW2m0tvDhVfp_55ba8EicfiT2PYMOobArJWqgSDabuqFC9jBkMJzExZgLnqbWWQd4KX6iCbFNB1COcCm64jdYSMmSY-B9dvDE8p-8m-_CBtuuwS7EmAyfkN42WDeoCtcg9N1Fl6Uvt4RemZ-PaeqNSIkAnLiL0PsynEXZjfTtdHGRAsfDRe-qAwJ_HhbnTFY5s3iZv15Lg25QBAINHL_lWUkDcIPQM_G2oQ14vanB_efGMIqOyt9HmUZ990WbQe4fGTEjr6Wt6rOIzpJewoYNONqRjI2h5YgD1csxYbu9La7GkVR_0xvgRum2PDRNaF0j41t-Gp1CHqFsfqboThAC298jRmB3Gd-Gt-RM9bz4xcpfEpdHA5q4pE4xAOhkQsRSuupVr95z0nddAevcSV3JQsRoymmEr59-OmWOoy5JwFBp72CCXUkTt3ok8rZ7iu0Xz9bgNI3OJc83W878vMO5B48UHE2Cp3ZgJiL7FLPALQUPVf0uRDz0yYbBxs0H8AkmoCZULGIw1fH4eiTV_CMTBO8x6pgpLX2hsnDvxj8WFHn_DxncnqhTm6aLFQycjyel4OuUhruCUZO8z7YIyqR1Mn1T7QzyOQgu5QVXTNWi3rCOwELRZFQvNq6xOiOuv-wa5IdPv93Te96fi-SIjQ4tnZacd4VlqcXH_cDXgaHY3XNtUc4GPziE6WnuwxF0xAaAfwybiMLMa3Irg20vnwKMs80fVfb7KggHqcWYv-feeNI8OQRf0ooNgqtX0mKcVPPFYk51ZupGcqeTMuF7Or5u4OJ5kUGUS9bvVAuqCXLxwXUJE1ORkjy7hvpQVxPht24eDWafDnpaAP2KORmoDo8TLBg8h-VUYO1gijDqDGTwZ92u73nWYV9movingHQTSNEUhUeDGDCAhmJYDm6dbfStSQ0vM1TCUIojCR6t6D-MDlVKVtL4siMbAUsWTu92Ap99aZW_4XCvV7PyrFpW4qFnvkVu5HBTD2-agvka12cZrNxNA9VJo-B5LR_IqmRazmZQJjRbmdYp5MGcrn7HQCrO4bspaTsBhMxAiiLtqS5nz3kuOhNJLIQOt-AV7dU-aoxeIOFAhqSSsr_OvYkomUazw.73ztJsNH15MKq2NiYusuSCdJwO0M1YKkNabHD7UlKEk"</span>, <span class="s2">"token_type"</span>: <span class="s2">"Bearer"</span>, <span class="s2">"expires_in"</span>: 3600 <span class="o">}</span> </code></pre> </div> <h2> Conclusion </h2> <p>By leveraging AWS Aurora Serverless v2's scaling to zero feature and OpenIddict 6's robust OAuth2/OIDC implementation, we've created a serverless OAuth2 server that only incurs costs when actually in use.</p> <p>This setup provides us full control over the infrastructure and can be easily converted back to a traditional setup with ECS or EKS and RDS for Postgres or even other cloud / on-premises solutions.</p> <blockquote> <p>Full source code is available on <a href="https://github.com/ahanoff/how-to/tree/main/openiddict-6-serverless-with-aws-aurora-v2" rel="noopener noreferrer">GitHub</a>.</p> </blockquote> serverless oauth aspnet openiddict