ALB complains about cognito

Question

I'm trying to connect an Application load balancer to AWS Cognito, and everything seems right except when I tried to save the changes and I get this error "The user pool client must have a client secret", I googled it but didn't find anything useful.

I was able to test the Cognito Authentication UI successfully (I think...) so I don't understand why AWS would complain about the user pool client.

so the question is, has anyone run into this problem before and if you do, how did you solve it??

EDIT:

Basically, what I have done is on one side I configured Cognito to work only with Google OAuth ( I removed the amazon default one) and on the other side I have created an Application load balancer with multiple rules, each rule points to a different target group, each target group is a Docker application running on Kubernetes. (aka EKS). all those applications have a different kind of authentication or they don't any at all. So the idea is to add a rule in the ALB to authenticate users using Cognito. the problem is that after adding all parameters required and just when I'm about to save my changes all those new changes. I get an error "The user pool client must have a client secret" and I googled that exact sentence and I don't get anything except post that I posted in other places.

thanks for your time!

Answer 1

An app client secret is required for the app client you create in Cognito. You cannot add an app client secret to an existing app client but you can simply create a new one and leave the generate secret box ticked (Which it is by default).

This is required as its an additional level of security of the Oauth standard that Cognito and ALB integration implement. The 'authorization code' that is returned to the ALB after authenticating with Cognito will then be exchanged by the ALB to Cognito for tokens. This exchange will require the secret and as the ALB is the only application that knows the secret, it makes this more secure.

Answer 2

In order to make AWS Cognito properly work, you need few basic configurations. Please see the code extract from Amplify (AWS Dev Lib for Cognito).

import Amplify, { Auth } from 'aws-amplify';

Amplify.configure({
    Auth: {

        // REQUIRED only for Federated Authentication - Amazon Cognito Identity Pool ID
        identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',

        // REQUIRED - Amazon Cognito Region
        region: 'XX-XXXX-X',

        // OPTIONAL - Amazon Cognito Federated Identity Pool Region 
        // Required only if it's different from Amazon Cognito Region
        identityPoolRegion: 'XX-XXXX-X',

        // OPTIONAL - Amazon Cognito User Pool ID
        userPoolId: 'XX-XXXX-X_abcd1234',

        // OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
        userPoolWebClientId: 'a1b2c3d4e5f6g7h8i9j0k1l2m3',

        // OPTIONAL - Enforce user authentication prior to accessing AWS resources or not
        mandatorySignIn: false,

        // OPTIONAL - Configuration for cookie storage
        // Note: if the secure flag is set to true, then the cookie transmission requires a secure protocol
        cookieStorage: {
        // REQUIRED - Cookie domain (only required if cookieStorage is provided)
            domain: '.yourdomain.com',
        // OPTIONAL - Cookie path
            path: '/',
        // OPTIONAL - Cookie expiration in days
            expires: 365,
        // OPTIONAL - Cookie secure flag
        // Either true or false, indicating if the cookie transmission requires a secure protocol (https).
            secure: true
        },

        // OPTIONAL - customized storage object
        storage: new MyStorage(),

        // OPTIONAL - Manually set the authentication flow type. Default is 'USER_SRP_AUTH'
        authenticationFlowType: 'USER_PASSWORD_AUTH'
    }
});

// You can get the current config object
const currentConfig = Auth.configure();