Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I set up an Application Load Balancer to authenticate users through an Amazon Cognito user pool?
I want to integrate an Application Load Balancer with an Amazon Cognito user pool for user authentication.
Short description
To set up user authentication with an Application Load Balancer and an Amazon Cognito user pool, complete the following steps:
- Create an Application Load Balancer.
- Get the DNS name of your Application Load Balancer.
- Create and configure an Amazon Cognito user pool.
- Configure the Application Load Balancer.
- Test the setup.
Resolution
Create an Application Load Balancer
Note: If you already configured an Application Load Balancer, then proceed to the Get the DNS name of your Application Load Balancer section.
Complete the following steps:
Note: Only HTTPS listeners support the authenticate-cognito and authenticate-oidc rule action types.
Get the DNS name of your Application Load Balancer
Complete the following steps:
- Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
- In the navigation pane, under Load Balancing, choose Load Balancers.
- Select your Application Load Balancer.
- On the Details tab, note your load balancer's DNS name to use in a later step.
Create and configure an Amazon Cognito user pool
Complete the following steps:
- Open the Amazon Cognito console.
- In the navigation pane, choose Create a user pool.
Note: When you create the user pool, configure the settings that you want for production. After you create the user pool, you can't change some user pool settings. For more information, see How do I change the attributes of an Amazon Cognito user pool after creation? - Configure an app client for your user pool.
When you configure the app client, select the Generate a client secret radio button. For more information, see Prepare to use Amazon Cognito. - In the navigation pane, choose User pools, and then select your user pool. Note the User pool ID to use in a later step.
- Choose the App integration tab for your user pool, and then add a domain for your user pool.
- On the App integration tab for your user pool, select your app client in the App clients and analytics section.
- On the App client page, under App client information, note the Client ID to use in a later step.
- In the Hosted UI section, choose Edit.
- Choose Add callback URL, and then enter https://load-balancer-dns-name/oauth2/idpresponse with your DNS name. If you used a CNAME record to map a custom domain to your Application Load Balancer, then enter https://CNAME/oauth2/idpresponse with your custom domain name.
Note: The DNS name can't contain uppercase letters. - Choose Add sign-out URL, and then enter a URL that you want to redirect your users to after they sign out. To test the redirect, you can enter any valid URL, such as https://example.com/.
- For Identity providers, select Cognito user pool.
- Under OAuth 2.0 grant types, select Authorization code grant. Select additional OAuth grant types for your use case.
- Under OpenID Connect scopes, select OpenID. The OpenID scope returns an ID token. Select additional OpenID Connect (OIDC) scopes for your use case.
- Choose Save changes.
For more information, see Updating user pool and app client configuration and User pool sign-in with third party identity providers.
Configure your Application Load Balancer
Complete the following steps:
- Open the Amazon EC2 console.
- In the navigation pane, under Load Balancing, choose Load Balancers.
- Select your Application Load Balancer.
- On the Listeners and rules tab, select the HTTPS protocol.
- Choose Manage rules, and then choose Edit rules.
- In the Listeners rules section, select the default rule that you want to update.
- Choose Action, and then choose Edit rules.
- Configure the following settings for the HTTPS listener default rule:
For Authentication, select Use OpenID or Amazon Cognito.
For Identity provider, choose Amazon Cognito.
For the User pool, select your User pool ID.
For the App client, select your Client ID.
Expand Advanced authentication settings.
Name the Session cookie.
Set the Session timeout. The default value is 7 days.
For Scope, enter the scopes that you configured for your user pool app client, separated by spaces. You can find the scopes in your user pool's OIDC configuration. For example, if the scopes_supported value is ["openid","email","phone","profile"], then enter openid email phone profile.
For Action on unauthenticated request, keep the default value.
(Optional) Expand Extra request parameters - optional to add parameters to an identity provider, such as Cognito, during authentication. For example, if the Cognito user pool has Google as its own identity provider, then you can add an extra parameter {Key: identity_provider, Value: Google}. For more information about the request parameters, see Request parameters.
For Routing actions, choose Forward to target group, and then choose target groups.
(Optional) For Target group stickiness, choose Turn on target group stickiness when your use case requires it. - Configure the following secure listener settings:
For Security policy, choose the security policy that's appropriate for your use case.
For Default SSL/TLS server certificate, choose your certificate source. - Choose Save changes.
Test the setup
In your web browser, enter one of the following URLs:
- https://load-balancer-dns-name/
- https://CNAME/
Note: Replace load-balancer-dns-name with your DNS name and CNAME with your custom domain.
When you enter the URL, you're redirected to the Amazon Cognito hosted web UI for your user pool. After users sign in and the user pool authenticates them, the users are redirected to the target.
Related information
Getting started with Application Load Balancers
Simplify login with Application Load Balancer built-in authentication
- Tags
- Amazon Cognito
- Language
- English
hi, I follow your step , and 401 happens https://repost.aws/questions/QUOe7yyg4uQYmKFzSqXR8FYw/401-authorization-required-when-forwarding-to-the-callback-url-assign-in-the-cognito what's the matter? thanks
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
How do I do it without Amazon Cognito hosted web UI? I would like to use the tokens that my users get via AWS Amplify for authentication purpose without triggering the hosted web UI. My users should be already logged in via Aws Amplify before triggering this ALB + target group (lambda) endpoint.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I posted a question here regarding my comment above. It would be great if you can answer it there. Thank you! https://repost.aws/questions/QUeZZFwnAeSeSP1IcexNhgEA/how-do-i-set-up-an-application-load-balancer-to-authenticate-users-through-an-amazon-cognito-user-pool-without-using-cognito-hosted-web-ui
This is working in us-east-1 region but when we deployed it in ap-southest-1 (sydney) region it gives error "Cannot GET /oauth2/idpresponse" for "https://CNAME/oauth2/idpresponse?code=XXXX064b-XXXX-4045-a4ac-1XXXXeXXXX00".
Is because of region or we have missed something in configurations?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Any chance you could point out why I am getting this error when attempting to sign in?
Client is not enabled for OAuth2.0 flows
CognitoUserPoolClientNew:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref CognitoUserPool
AllowedOAuthFlowsUserPoolClient: True
AllowedOAuthFlows:
- code
- implicit
AllowedOAuthScopes:
- email
- openid
- profile
SupportedIdentityProviders:
- COGNITO
ExplicitAuthFlows:
- ALLOW_USER_PASSWORD_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
- ALLOW_USER_SRP_AUTH
- ALLOW_CUSTOM_AUTH
CallbackURLs:
- !Sub "https://${LoadBalancer.DNSName}"
- !Sub "https://${LoadBalancer.DNSName}/oauth2/idpresponse"
- !Sub "https://${DomainName}"
- !Sub "https://${DomainName}/oauth2/idpresponse"
LogoutURLs:
- !Sub "https://${LoadBalancer.DNSName}"
- !Sub "https://${LoadBalancer.DNSName}/oauth2/idpresponse"
- !Sub "https://${DomainName}"
- !Sub "https://${DomainName}/oauth2/idpresponse"
GenerateSecret: True
ClientName: !Sub "${AppName}-UserPoolClient"
