- 新しい順
- 投票が多い順
- コメントが多い順
When configuring ALB OIDC authentication with an external IdP, the HTTP 500 error you're experiencing when the ALB tries to connect to the IdP's token endpoint could indeed be related to IP whitelisting issues.
Unfortunately, AWS doesn't provide specific IP ranges for ALB authentication traffic to IdP endpoints. This is because Application Load Balancers operate from a dynamic set of IP addresses that can change over time. Unlike some other AWS services, there isn't a published list of IP ranges specifically for ALB authentication outbound traffic.
Here's what you should check instead:
-
Ensure your IdP's DNS entries for the token endpoint are publicly resolvable, even if they resolve to private IP addresses.
-
Verify that the IdP endpoints' certificates are issued by a trusted public certificate authority.
-
Make sure you've correctly configured all required OIDC parameters in your ALB setup:
- Authorization endpoint URL
- Token endpoint URL
- User info endpoint URL
- Client ID and client secret
- Issuer URL (must be a full URL including HTTPS protocol, domain, and path)
-
Check that you've configured the correct redirect URL in your IdP app: https://[your-ALB-DNS]/oauth2/idpresponse or https://[your-CNAME]/oauth2/idpresponse
-
Instead of IP whitelisting, consider working with your IdP to allow access based on other authentication methods that don't rely on source IP addresses.
-
Review your IdP's logs to understand the specific reason for the 500 error, which might provide more insight into the actual issue.
The ALB authentication flow requires the load balancer to communicate with the IdP's token endpoint after receiving the authorization grant code, so ensuring this communication path is open is essential for the authentication process to work correctly.
Sources
Authenticate users using an Application Load Balancer - Elastic Load Balancing
AuthenticateOidcActionConfig - Elastic Load Balancing
Security best practices when using ALB authentication | Networking & Content Delivery
