We have our web app and backend services running in a VPC. It is reachable through an Application Load Balancer (ALB) which requires login through the hosted UI with a Cognito user pool. After logging in, any request send through the ALB gets an access token added in the X-Amzn-Oidc-Data
header which is good. However for our websocket
connection to the backend, we need to specify any relevant data in the connectionParams
client-side. I see two possible solutions but I am not sure about the implementation:
- After logging in with the hosted UI, the
AWSELBAuthSessionCookie
is set in the browser. If I could exchange that client-side for an access_token
, I could just add the token to the connectionParams
. However for the token endpoint, I would need the client_id
and the client_secret
, but I just have the cookie at that point.
- Another approach might be to intercept the
onConnect
request via websockets in a reverse proxy behind the ALB and take the automatically added header X-Amzn-Oidc-Data
and write it to the connectionParams
. But I am somewhat out of my depth on websocket
to know how to do that.
Could anyone help me with option 1 or 2?