Passing Headers/Cookies between a MultiOrigin Cloudfront dist (S3 & API Gateway origins)

I have a multi-origin CloudFront distribution that has a S3 Origin (to a private S3 bucket) and a API Gateway origin. I have created behaviors to reference each origin, so when is called, the API Gateway is triggered.

I am using API gateway to handle authentication for my application. There are two methods, a GET which creates a SAML request and responds with a 302 (Location being the configured SSO url). After authentication, the SSO redirects to the POST method which verifies the responds and redirects back to the S3 origin of the Cloudfront path. I have a ViewerRequest lambda that checks for a JWT that is configured from the POST method.

My issue is that I can’t pass the JWT in the 302 redirect of the POST method. I have tried both using Set-Cookie and adding the token as the Authorization header in the 302 response. I have tried many configurations on the CloudFront settings and API Gateway settings. Does anyone have any insight. I can provide more clarity if needed. Currently I have gotten it working using query strings, but that is a security risk.

For anyone in a similar situation, this post has helped me find different approaches to try. Not completely working on my end, but it’s a start! How to send a cookie as a response?

I was able to figure it out. This was more of an issue with my lack of experience with Cookies rather than a serverless issue. In the POST method I respond with the following:
‘statusCode’: 303,
‘headers’: {
‘Location’: cloudFrontURL
‘Set-Cookie’: “authToken=” + token+ “; SameSite=None; Domain=”+cloudfront_redirect_url+"; Path=/; Secure;",
‘content-type’: “application/json”

1 Like