I am trying to configure AWS ALB with OIC configuration for kubernetes, but unsuccessful with aws alb access log showing AuthInvalidTokenResponse.
Where i am at:
AWS ALB is able to call the AuthorizationEndpoint with the configured client id and being redirected to https://<domain>/oauth2/idpresponse with authorization code. Load balancer is also able to call TokenEndpoint with status code 200.
When i intercept the request to the token endpoint, its responding with the following jwt:
id_token
Header
{
"typ": "JWT",
"alg": "RS256",
"kid": 1,
"sub": 2
}
Payload
{
"iss": "<Issuer>",
"sub": "2",
"aud": "<Client ID>",
"exp": 1686674194.646189,
"iat": 1686587794.646195,
"jti": "123",
"email": "<user email>",
"token_use": "id",
"auth_time": 1686587776,
"nonce": null
}
access_token
Header
{
"typ": "JWT",
"alg": "RS256",
"kid": 1
}
Payload
{
"aud": "<Client ID>",
"jti": "bd50ae286e303b24277fc256024b1d7e67e0383fb4fc3a23abd58ca420d69fea015251e1062ea98f",
"iat": 1686587794.647674,
"nbf": 1686587794.647676,
"exp": 1686591394.45712,
"sub": "2",
"iss": "<Issuer>",
"scope": "openid email profile",
"token_use": "access",
"username": "<user>",
"client_id": "<Client ID>"
}
token_type
Bearer
and refresh_token
When i check the id_token & access_token https://jwt.io the signature is verifiable via https://<domain>/.well-known/openid-configuration & https://<domain>/.well-known/jwks.json
I have also tried adding a trailing slash the issue url after coming across this question.
I am clueless on what might be the issue, anyone know why am i getting the error ? or is there a way to get verbose logs AWS alb that can help me understand the reason behind AuthInvalidTokenResponse ?
Thanks in advance!
AWS OFFICIALUpdated a year ago
