We are using API Gateway for almost all our services, however due to its limitations (timeout, payload, etc) we are unable to use it for all of them. We have integrated Cognito with ALB, however the same requests to API Gateway(just with Authorization header) doesnt work to ALB, as they work for the API Gateway. I expected that ALB would be able to validate the header, similarly as the API Gateway, however it seems like it works on the sessions instead and it is not able to validate the token.
The one other solution that I see is just move the whole authorization flow to the application, and allow for all the traffic to the application from ALB (maybe add some custom header for additional protection and blockage of some traffic on the ALB side and not on the application side), but I do not see any way to do it on the ALB side (maybe some token hacking?).
Is there any other ways to tackle this problem? We cannot have people log in with the sessions through one ALB, with the hundreds of microservices and hundreds of API Gateways running on multiple accounts.
