How do I troubleshoot issues configuring authentication in my Application Load Balancer?

2 minute read

I receive an error when I configure authentication in my Application Load Balancer.


Misconfigurations with the identity provider (IdP) or Application Load Balancer can cause errors when configuring authentication for the Application Load Balancer. Follow these steps to troubleshoot authentication errors.


If you're using Amazon Cognito, then set the callback URL to https://<domain>/oauth2/idpresponse. If you're using a different IdP, then set the redirect URI to https://<domain>/oauth2/idpresponse.

Note: Replace <domain> with the domain used to access the Application Load Balancer.

HTTP 401: Unauthorized

Configure the following identically on your Application Load Balancer and IdP:

  • Issuer
  • Authorization endpoint
  • Token endpoint
  • Client ID/Client Secret

Also, set Action on unauthenticated request to either Allow or Authenticate (client reattempt), based on your use case.

HTTP 500: Internal Server Error

Complete the following steps if you receive an "HTTP 500: Internal Server Error" error:

  • Add an outbound rule to allow traffic to the IdP endpoints over HTTPS (port 443).
  • Configure the network access control list rules on each Application Load Balancer subnet to allow traffic to and from the IdP endpoints.
    For egress rules, specify: Destination IP - Identity provider, Destination port -443 Allow.
    For ingress rules, specify: Source IP - Identity provider, Destination port 1024-65535 Allow.
  • Configure the route table to include a route for the Application Load Balancer to access the IdP endpoints.
    For public Application Load Balancers and public endpoints, configure an internet gateway route for the route table.
    For private Application Load Balancers and private endpoints, configure a network address translation (NAT) gateway for the route table. Or, configure a NAT instance route for the IdP.
    For other scenarios, configure the route tables of the Application Load Balancer subnets with appropriate route entry to route connectivity to the IdP endpoints.
  • Select a valid OAuth2 Grant type. Application Load Balancers support the Authorization code grant to obtain an access token. If an incorrect grant is configured at the IdP, then the Application Load Balancer generates an error.

Additional HTTP error codes

For troubleshooting additional HTTP error codes generated by Application Load Balancers, see The load balancer generates an HTTP error.

Related information

Simplify login with Application Load Balancer built-in authentication

Authenticate users using an Application Load Balancer

Configuring a user pool app client

AWS OFFICIALUpdated a year ago

In some cases, the user may encounter an error at the IdP, and be redirected to the ALB with the "error" and "error_description" parameters rather than the "code" parameter, per RFC 6749.

Is there any way to configure the ALB to do one of the following:

  • Render the error to the user
  • Forward the request to a Lambda
  • Redirect the request to another (unauthenticated) endpoint

Any of these would be much more valuable than displaying the generic "401 Unauthenticated" response to unsuspecting users.

replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 9 months ago