How do I troubleshoot authentication issues in my Application Load Balancer?
I receive an error when I configure authentication in my Application Load Balancer.
Resolution
Misconfigurations with the identity provider (IdP) or Application Load Balancer can cause errors when you configure authentication for the Application Load Balancer. To troubleshoot authentication errors, complete the following tasks.
redirect_mismatch
If you use Amazon Cognito, then set the callback URL to https://<domain>/oauth2/idpresponse. If you use a different IdP, then set the redirect URI to https://<domain>/oauth2/idpresponse.
Note: Replace <domain> with the domain used to access the Application Load Balancer.
HTTP 401: Unauthorized
To resolve HTTP 401: Unauthorized errors, update the following configurations to all match on your Application Load Balancer and IdP:
- Issuer
- Authorization endpoint
- Token endpoint
- Client ID/Client Secret
Also, set Action on unauthenticated request to either Allow or Authenticate (client reattempt), based on your use case.
HTTP 500: Internal Server Error
The load balancer must be able to communicate with the IdP token endpoint (TokenEndpoint) and the IdP user info endpoint (UserInfoEndpoint). Application Load Balancers support only IPv4 when the load balancers communicate with these endpoints.
To resolve HTTP 500: Internal Server Error errors, complete the following tasks:
- Verify that the IdP endpoint DNS name is publicly resolvable. The authentication feature can't resolve private domain names.
- Add an outbound rule to the load balancer security group that allows traffic to the IdP endpoints over HTTPS port 443.
- Make sure that the load balancer subnet ACL allows traffic to and from the IdP endpoints:
For egress rules, you must set the specify the Destination IP (IdP endpoints) and Destination TCP port 443 to Allow.
For ingress rules, you must set the Source IP (IdP endpoints) and Destination TCP port range 1024-65535 to Allow. - Configure the load balancer subnet route tables to reach the IdP endpoints:
For internet facing load balancers, configure an Internet Gateway default route to reach the public IdP endpoints.
For internal load balancers or balancers with a dualstack-without-public-ipv4 IP address, configure a NAT gateway or instance default route to reach public IdP endpoints.
For all other network topology, you must have sufficient routing in place end to end to reach the IdP endpoints. - Select a valid OAuth2 Grant type. Application Load Balancers support the Authorization code grant to obtain an access token. If an incorrect grant is configured at the IdP, then the Application Load Balancer generates an error.
- Make sure that the IdP token or user info endpoint respond within 5 seconds.
Additional HTTP error codes
To troubleshoot additional HTTP error codes that Application Load Balancers generate, see The load balancer generates an HTTP error.
Related information
Simplify login with Application Load Balancer built-in authentication
In some cases, the user may encounter an error at the IdP, and be redirected to the ALB with the "error" and "error_description" parameters rather than the "code" parameter, per RFC 6749.
Is there any way to configure the ALB to do one of the following:
- Render the error to the user
- Forward the request to a Lambda
- Redirect the request to another (unauthenticated) endpoint
Any of these would be much more valuable than displaying the generic "401 Unauthenticated" response to unsuspecting users.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 7 months ago
