{"id":22268118,"url":"https://github.com/curityio/serverless-zero-trust-api","last_synced_at":"2025-10-10T13:05:06.133Z","repository":{"id":42390725,"uuid":"400450182","full_name":"curityio/serverless-zero-trust-api","owner":"curityio","description":"Zero trust in OAuth 2.0 lambdas, using self-contained JWTs containing full certificate details","archived":false,"fork":false,"pushed_at":"2024-07-08T11:53:53.000Z","size":443,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-06-06T20:34:27.352Z","etag":null,"topics":["api","claims","code-example","jwt-validation","lambda","oauth2","scopes","self-contained-jwt","serverless","zero-trust"],"latest_commit_sha":null,"homepage":"https://curity.io/resources/learn/self-contained-jwts/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-27T09:02:10.000Z","updated_at":"2024-07-08T11:53:45.000Z","dependencies_parsed_at":"2024-12-03T11:11:38.473Z","dependency_job_id":"c61cbac1-7abb-4b9a-9c4e-3029636ae3fc","html_url":"https://github.com/curityio/serverless-zero-trust-api","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/curityio/serverless-zero-trust-api","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fserverless-zero-trust-api","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fserverless-zero-trust-api/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fserverless-zero-trust-api/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fserverless-zero-trust-api/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/serverless-zero-trust-api/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fserverless-zero-trust-api/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279004005,"owners_count":26083661,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","claims","code-example","jwt-validation","lambda","oauth2","scopes","self-contained-jwt","serverless","zero-trust"],"created_at":"2024-12-03T11:11:33.818Z","updated_at":"2025-10-10T13:05:06.112Z","avatar_url":"https://github.com/curityio.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# A Serverless API that Validates JWTs\n\n[![Quality](https://img.shields.io/badge/quality-experiment-red)](https://curity.io/resources/code-examples/status/)\n[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)\n\nSome Serverless / Cloud Native APIs are recreated on every API request and cannot cache token signing keys.\\\nThis code example shows how to do token validation using public key details embedded in the JWT header.\n\n## Example API\n\nThe sample uses a trivial lambda function that returns a hard coded response.\\\nEvery call to the lambda validates a JWT, as part of a [Zero Trust Architecture](https://curity.io/solutions/zero-trust).\n\n```yaml\nfunctions:\n  getDataFunction:\n    handler: dist/getDataFunction.handler\n    events:\n      - http: \n          path: /data\n          method: get\n```\n\n## Prerequisites\n\n- Run the `createCerts.sh` script, which uses OpenSSL to create a local certificate trust chain for testing.\n\n## Run the Lambda\n\nRun the lambda via the following commands, to execute the certificate chain handling code:\n\n- npm install\n- npm run build\n- npm start\n\nThis will result in an error response because the access token in `data/request.json` is untrusted:\n\n```\nSERVER-ERROR-LOG: x5c certificate chain verification failed : forge.pki.UnknownCertificateAuthority : Certificate is not trusted.\n{\n    \"status\": 401,\n    \"body\": \"{\\\"code\\\":\\\"unauthorized\\\",\\\"message\\\":\\\"Missing, invalid or expired access token\\\"}\"\n}\n```\n\n## Get a Valid Access Token\n\nFollow the [Code Example Walkthrough](https://curity.io/resources/learn/serverless-zero-trust-api) to configure the Curity Identity Server.\\\nRun the `setup.sh` script to renew the access token in `data/request.json`.\\\nThen run the lambda again, which will output the token claims to the console, then return a success lambda response:\n\n```\n{\n  jti: 'b075a8ec-9555-480f-b0bf-aa5fc3dc4f88',\n  delegationId: '7b4f1bce-59da-47d1-98e2-660c9e5008a6',\n  exp: 1630088873,\n  nbf: 1630088573,\n  scope: 'read',\n  iss: 'https://login.curity.local/oauth/v2/oauth-anonymous',\n  sub: '607ad1f66f06563478c433dd15825eabb5ddfd8ad67cbbf60d5ec0c97164f173',\n  aud: 'api.example.com',\n  iat: 1630088573,\n  purpose: 'access_token'\n}\n{\n    \"status\": 200,\n    \"body\": \"{\\\"message\\\":\\\"API successfully validated the JWT and verified x509 certificate trust\\\"}\"\n}\n```\n\n## Security Behavior\n\nThe code example provides the following main classes:\n\n- `TrustChainValidator` shows how to verify trust of the token signing X509 details contained in the JWT\n- `TokenValidator` shows how to continue with standard JWT validation\n\nThree scenarios are covered:\n\n-  Validating the full trust chain received in the `x5c` array field of the JWT header\n-  Validating the full trust chain received in the `jwk` object field of the JWT header\n-  Identifying a certificate from the `x5t` thumpbrint in the JWT header\n\n## Libraries\n\n- The [Node Forge](https://github.com/digitalbazaar/forge) PKI library is used to verify X509 certificate details\n- The [Jose](https://github.com/panva/jose) library is then used to validate the JWT\n\n## Further Information\n\nPlease visit [curity.io](https://curity.io/) for more information about the Curity Identity Server.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fserverless-zero-trust-api","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Fserverless-zero-trust-api","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fserverless-zero-trust-api/lists"}