Salesforce can configured as an IDP:

Salesforce can act as a single sign-on (SSO) identity provider to service providers, allowing end users to easily and securely access many web and mobile applications with one login. When using SAML for federated authentication, enable Salesforce as an identity provider and then set up connected apps. However, the OpenID Connect protocol for SSO authentication doesn’t require enabling Salesforce as an identity provider.

However on their main help page, they only explain SAML flows and all the examples are SAML based.

UPDATE: Found the OAuth2/OpenID Connect docs!

Ah... looks like we're dependent on #41

Let's keep this issue open as a next step once the referenced issue is resolved.

I've been working on this since yesterday morning. I'd be happy to share what I've got so far if either of you have some time to take a look, I'm getting an error from Cloudfront saying that Lambda either doesn't have permissions or the function is invalid. I'm like 95% sure that the function is invalid, but I'm new to AWS (this is my first project in AWS) and can't figure out how to see any logs. My scenario is also unique in that I really only care for the first response from salesforce saying that they are valid users, and I'm not trying to hit their API anymore after that. I know its a long shot, but this is all I'm going to be doing for the next hour, so @payton or @uriahcarpenter let me know if you've got some time and would like to team up and see what we can get done.

@dougglez If you didn't already find it, there is a method for testing Lambdas described in the wiki -- https://github.com/Widen/cloudfront-auth/wiki/Debug-&-Test

@dougglez Let us know if you have any issues after running the tests

@dougglez Just following up on this issue. Any updates on your end?