By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS ALB Cognito JWT/OIDC authentication

0

We are trying to integrate AWS ALB with Cognito user pool. We have setup rules in ALB to authenticate user with Cognito client. After webapp authentication, a session cookie is set. This is all good.

Now, we have a desktop application which does internally connect with Cognito, get access token JWT and manage it (refresh etc.). Now, we are trying to fire http requests to ALB with this access token as Authorization header. ALB redirect these requests to Cognito login page again, instead of validating (and allowing) the JWT present in Auth header.

What we expect is if request contains valid Auth header (JWT), ALB should validate it and allow it. It seems ALB does not check Auth header. How can we achieve this with ALB? Additionally, is it possible for desktop app to work directly with ALB (instead of Cognito) and use Session ID instead of JWT/Access Token?

Topics
ComputeSecurity, Identity, & ComplianceNetworking & Content DeliveryMicroservices
Tags
Website ProvisioningAmazon CognitoElastic Load BalancingMicroservices
Language
English
Vishal Goel
asked 2 years ago2734 views
1 Answer
1

The docs here https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-flow (see step #9) show that an authentication session cookie, issued by the ALB, is required to proceed to forwarding of traffic to the Target Group. The ALB here will actually sign the JWT being sent back to the target group itself, not Cognito in this case.

Depending upon your use case, you may want to use API Gateway to achieve this design rather than ALB. You could use this NodeJS JWT authorizer code within a custom lambda authorizer instead. Not sure that's possible with your application but should meet your design expectations of using the Cognito issued JWT.

AWS
Chris_S
answered 2 years ago
  • Vishal Goel
    2 years ago

    Thanks @Chris_S. We are using EKS for our services deployment. I dont think AWS API Gateway will fit here.

  • Hubert Bratek
    8 months ago

    Hi @Chris_S, sadly the use case of using API Gateway is not possible for multiple use cases due to its limitations (Maximum payload & response time). Are there any other ways of solving this problem? API Gateway is not possible to use, ALB with Cognito doesn't allow on using JWT token that are generated with it, which is quite necessary in the current concept of microservices.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content