Reputation: 91
Always getting 401 or 500 when authenticating users with amazon application load balancer and django oidc provider at receiving access token
I cannot get ALB to check the /userinfo endpoint after receiving access_token, refresh_token and id_token to it
I'm trying to authenticate users with Amazon ALB and django_odic_provider. I have set the load balancer authentication on ALB side, tested all oidc endpoints (all are accessible and returning valid results). When I try to authenticate I'm presented with django's login view, I successfully authenticate, but on return from django's oidc/token endpoint I get 401 Unauthorized on oauth2/idpresponse page of load balancer.
If I try to use Cognito and federated django_oidc_provider I also successfully log in and on return from authorize to oauth2/idpresponse I'm getting 500 server error with message: Exception processing authorization code. It seems to me that ALB is not able to read my response but when I check it everything is formatted as in documentation and jwt is ok.
By looking at logs it seems that load balancer never checks token and userinfo endpoints once it receives access_token, refresh_token and it_token from authorization endpoint.
I would like to understand how load balancer interprets this response in order to try to figure out what is wrong with it.
This is token endoint response:
{
'access_token': 'd90623245e474ee0b23a0a9ca062ba74',
'refresh_token': '4d439d3249e64cbe9975310f84431c25',
'token_type': 'Bearer',
'expires_in': 3600,
'id_token': 'eyJ... clipped ...uS9FSA'
}
And this is jwt token decoded:
{
"iss": "http://******/openid",
"sub": "4",
"aud": "170710",
"exp": 1564065189,
"iat": 1564064589,
"auth_time": 1564063978,
"at_hash": "KR6H0NlP_UQMXB1jDnpj-g",
"email": "*****@*********.com"
}
I have clipped out sensitive data of course.
Can you please suggest what is the next thing I should check in order to try to resolve this.
Upvotes: 0
Views: 2734
Answers (1)
Reputation: 91
Resolved. The URL was extracted from the request itself and it was form some reason converting https to http making .well-known/openid-configuration invalid.
Upvotes: 0
Related Questions
- Authenticate with AWS ALB / Cognito
- Using the aws cognito UserInfo endpoint
- Not getting cognito Access token after login with amzon cognito domain UI (generated from userpool)?
- Unable to signout when using AWS application load balancer with Azure AD OAuth (OIDC)
- Application Loadbalancer authenticate with Cognito Internal 500 Error
- Authentication with ALB
- 500 error when authenticating ALB + AWS Cognito
- 500 error trying to authenticate via AWS Application load balancer and Cognito
- AWS Cognito as Django authentication back-end for web site
- Django-rest-auth and AWS - Error 401