We have our web app and backend services running in a VPC. It is reachable through an Application Load Balancer (ALB) which requires login through the hosted UI with a Cognito user pool. After logging in, any request send through the ALB gets an access token added in the X-Amzn-Oidc-Data header which is good. However for our websocket connection to the backend, we need to specify any relevant data in the connectionParams client-side. I see two possible solutions but I am not sure about the implementation:
- After logging in with the hosted UI, the
AWSELBAuthSessionCookie is set in the browser. If I could exchange that client-side for an access_token, I could just add the token to the connectionParams. However for the token endpoint, I would need the client_id and the client_secret, but I just have the cookie at that point.
- Another approach might be to intercept the
onConnect request via websockets in a reverse proxy behind the ALB and take the automatically added header X-Amzn-Oidc-Data and write it to the connectionParams. But I am somewhat out of my depth on websocket to know how to do that.
Could anyone help me with option 1 or 2?
AWS OFFICIALAktualisiert vor 9 Monaten