Reputation: 1160
AWS ALB Cognito JWT/OIDC authentication
We are trying to integrate AWS ALB with Cognito user pool. We have setup rules in ALB to authenticate user with Cognito client. After webapp authentication, a session cookie is set. This is all good.
Now, we have a desktop application which does internally connect with Cognito, get access token JWT and manage it (refresh etc.). Now, we are trying to fire http requests to ALB with this access token as Authorization header. ALB redirect these requests to Cognito login page again, instead of validating (and allowing) the JWT present in Auth header.
What we expect is if request contains valid Auth header (JWT), ALB should first validate it and then allow it, if successfully authentiated. It seems ALB does not check Auth header. How can we achieve this with ALB?
Additionally, is it possible for desktop app to work directly with ALB (instead of Cognito) and use Session ID instead of JWT/Access Token?
Upvotes: 2
Views: 3001
Answers (1)
Reputation: 4516
I'm going to assume that you've followed the instructions here and have set up a single listener rule with actions authenticate-cognito and forward.
If yes, then I believe that the best solution is to add a higher priority rule that has a host header condition.
If you do this, the authorization code on your back-end will have to look for both the Authorization and x-amzn-oidc-accesstoken.
Upvotes: 0
Related Questions
- AWS Gov Cloud application load balancer authenticate rule with Cognito
- How to use a Cognito supplied `access_token` on an ALB HTTPS endpoint?
- Authentication with ALB
- Integrating AWS Cognito with API for authentication
- Best approach to login with AWS Cognito
- AWS Cognito Correct User Flow
- How to use AWS Cognito to authenticate API Gateway
- 500 error when authenticating ALB + AWS Cognito
- How to use AWS Cognito for unauthenticated users?
- OpenID authentication in AWS API gateway