@@ -7,18 +7,16 @@ import {
77 UserPoolResourceServer ,
88 CfnUserPoolUser ,
99} from "aws-cdk-lib/aws-cognito" ;
10- import { LogGroup , RetentionDays } from "aws-cdk-lib/aws-logs" ;
1110import { Secret } from "aws-cdk-lib/aws-secretsmanager" ;
1211import {
1312 RestApi ,
1413 Cors ,
15- LambdaIntegration ,
14+ MockIntegration ,
1615 AuthorizationType ,
1716 DomainName ,
1817 BasePathMapping ,
18+ PassthroughBehavior ,
1919} from "aws-cdk-lib/aws-apigateway" ;
20- import { Runtime } from "aws-cdk-lib/aws-lambda" ;
21- import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs" ;
2220import { HostedZone } from "aws-cdk-lib/aws-route53" ;
2321import { ARecord , RecordTarget } from "aws-cdk-lib/aws-route53" ;
2422import { ApiGatewayDomain } from "aws-cdk-lib/aws-route53-targets" ;
@@ -292,30 +290,7 @@ export class McpAuthStack extends cdk.Stack {
292290 target : RecordTarget . fromAlias ( new ApiGatewayDomain ( customDomain ) ) ,
293291 } ) ;
294292
295- // Create Lambda function to proxy and enrich Cognito's OpenID configuration
296- const oauthMetadataLambdaLogGroup = new LogGroup ( this , "LogGroup" , {
297- retention : RetentionDays . ONE_DAY ,
298- removalPolicy : cdk . RemovalPolicy . DESTROY ,
299- } ) ;
300-
301- const oauthMetadataLambda = new NodejsFunction (
302- this ,
303- "oauth-auth-server-metadata-function" ,
304- {
305- runtime : Runtime . NODEJS_22_X ,
306- handler : "handler" ,
307- memorySize : 256 ,
308- timeout : cdk . Duration . seconds ( 30 ) ,
309- logGroup : oauthMetadataLambdaLogGroup ,
310- description :
311- "Lambda function to proxy and enrich Cognito's OpenID configuration for MCP compatibility" ,
312- environment : {
313- COGNITO_OPENID_CONFIG_URL : `${ userPool . userPoolProviderUrl } ,
314- } ,
315- }
316- ) ;
317-
318- // Create API Gateway
293+ // Create API Gateway with MOCK integration for redirect
319294 const api = new RestApi ( this , "OAuthApiGateway" , {
320295 restApiName : `OAuth endpoint for MCP Auth` ,
321296 description : "OAuth APIs for MCP Auth, behind a custom domain" ,
@@ -326,16 +301,9 @@ export class McpAuthStack extends cdk.Stack {
326301 stageName : "prod" ,
327302 throttlingRateLimit : 1 ,
328303 throttlingBurstLimit : 5 ,
329- // TODO re-enable if bot-driven Lambda requests get more expensive than the
330- // cheapest API Gateway cache ($14.60 / month).
331- //
332- // All responses from this API GW are static (.well-known endpoints)
333- // and contents can be cached for a long time
334- //cachingEnabled: true,
335- //cacheTtl: cdk.Duration.hours(1),
336304 } ,
337305 deploy : true ,
338- cloudWatchRole : false , // no logging for this example
306+ cloudWatchRole : false ,
339307 } ) ;
340308
341309 // Map the custom domain to the API Gateway
@@ -345,79 +313,38 @@ export class McpAuthStack extends cdk.Stack {
345313 stage : api . deploymentStage ,
346314 } ) ;
347315
348- // Add the required path for OAuth metadata discovery to the API Gateway
316+ // Redirect OAuth discovery endpoint to Cognito's OpenID configuration
349317 const wellKnownResource = api . root . addResource ( ".well-known" ) ;
350318 const oauthServerResource = wellKnownResource . addResource (
351319 "oauth-authorization-server"
352320 ) ;
353- const openidConfigResource = wellKnownResource . addResource (
354- "openid-configuration"
355- ) ;
356-
357- const lambdaIntegration = new LambdaIntegration ( oauthMetadataLambda ) ;
358-
359- const oauthMetadataMethod = oauthServerResource . addMethod (
360- "GET" ,
361- lambdaIntegration ,
362- {
363- authorizationType : AuthorizationType . NONE ,
364- }
365- ) ;
366-
367- const openidConfigMethod = openidConfigResource . addMethod (
368- "GET" ,
369- lambdaIntegration ,
370- {
371- authorizationType : AuthorizationType . NONE ,
372- }
373- ) ;
374-
375- // Add NAG suppressions
376- NagSuppressions . addResourceSuppressions ( api , [
377- {
378- id : "AwsSolutions-APIG2" ,
379- reason : "Request validation is handled by Lambda function" ,
380- } ,
381- ] ) ;
382-
383- NagSuppressions . addResourceSuppressions ( api . deploymentStage , [
384- {
385- id : "AwsSolutions-APIG1" ,
386- reason : "Access logging is not enabled for this example" ,
387- } ,
388- {
389- id : "AwsSolutions-APIG3" ,
390- reason : "WAF is not enabled for this example" ,
391- } ,
392- {
393- id : "AwsSolutions-APIG6" ,
394- reason : "CloudWatch logging is not enabled for this example" ,
395- } ,
396- ] ) ;
397-
398- NagSuppressions . addResourceSuppressions ( oauthMetadataMethod , [
399- {
400- id : "AwsSolutions-APIG4" ,
401- reason : "OAuth discovery endpoint must be unauthenticated per RFC 8414" ,
402- } ,
403- {
404- id : "AwsSolutions-COG4" ,
405- reason : "OAuth discovery endpoint must be unauthenticated per RFC 8414" ,
406- } ,
407- ] ) ;
408321
409- NagSuppressions . addResourceSuppressions ( openidConfigMethod , [
410- {
411- id : "AwsSolutions-APIG4" ,
412- reason :
413- "OpenID Connect discovery endpoint must be unauthenticated per RFC 8414" ,
322+ oauthServerResource . addMethod ( "GET" , new MockIntegration ( {
323+ passthroughBehavior : PassthroughBehavior . NEVER ,
324+ requestTemplates : {
325+ "application/json" : '{"statusCode": 302}' ,
414326 } ,
415- {
416- id : "AwsSolutions-COG4" ,
417- reason :
418- "OpenID Connect discovery endpoint must be unauthenticated per RFC 8414" ,
419- } ,
420- ] ) ;
327+ integrationResponses : [
328+ {
329+ statusCode : "302" ,
330+ responseParameters : {
331+ "method.response.header.Location" : `'${ userPool . userPoolProviderUrl } ,
332+ "method.response.header.Access-Control-Allow-Origin" : "'*'" ,
333+ } ,
334+ } ,
335+ ] ,
336+ } ) , {
337+ authorizationType : AuthorizationType . NONE ,
338+ methodResponses : [
339+ {
340+ statusCode : "302" ,
341+ responseParameters : {
342+ "method.response.header.Location" : true ,
343+ "method.response.header.Access-Control-Allow-Origin" : true ,
344+ } ,
345+ } ,
346+ ] ,
347+ } ) ;
421348
422349 // Stack outputs
423350 new cdk . CfnOutput ( this , "AuthorizationServerUrl" , {
0 commit comments