By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito Custom Domain error "This URL doesn't exist on the authorization server."

0

Hi I have a load balancer authenticating with a Cognito user pool. There is a single listener with a simple rule. "1. Authenticate with Cognito and MFA and 2. Forward request to a target group that contains one server running an web application". There is no configuration done on the web server, I simply put in the browser https://alb.mydomain.com/TESTSERVER/login.aspx and this all works fine with a Cognito domain. I get the nice email/password dialog and then enter my MFA code. All good. But of course I want the URL to not say amazon in the redirect/responses so thought a Custom Domain would resolve that.

But if I simply create a custom domain in Cognito and link to my own certificate (imported into ACM as detailed) then change the User Pool Domain in the ALB to point to the custom domain. Then I change my own DNS to point ALB.MYDOMAIN.COM to the CloudFront alias rather than direct to the load balancer DNS it stops working. All saves ok and I can ping the CloudFront DNS entry correctly (I have left this 24 hours to ensure DNS updates and it does). The error is that on the browser when trying to access rather than the email/password dialog I get a white page and the message {"error":"This URL doesn't exist on the authorization server."}

To confirm the web server itself doesn't have anything to do with the authentication that is, or should all be done by Cognito. I double checked the certificate is fine, ping resolves to IP address and have made no other changes. Any assistance appreciated.

Topics
ComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon EC2Amazon CognitoElastic Load BalancingAmazon CloudFront
Language
English
Anthony
asked 2 months ago183 views
1 Answer
0

It is possible to configure your Application Load Balancer to handle both authenticated and unauthenticated requests as you described.

You can create path-based rules on the HTTPS listener to check the request path and route it accordingly.

For example:

  • Create a rule that matches requests to /user and does not require authentication. It will forward the request to the target group.
  • Create another rule that matches requests to /admin and sets Cognito authentication using the user pool. After successful authentication, it will forward the request to the target group.
  • The target group can contain your application servers that handle routing based on the request path or authorization headers after authentication.

This allows you to secure specific paths using Cognito while keeping other paths open without authentication. The ALB acts as a gatekeeper and offloads the authentication to Cognito while forwarding requests to the same target group.

profile picture
EXPERT
Giovanni Lauria
answered 2 months ago
  • Anthony
    2 months ago

    Thanks for the reply Giovanni but I don't think it addresses my question? I am trying to find out why changing from a Cognito domain to a Custom Domain, with no other changes to either Cognito or the ALB, causes the error "This URL doesn't exist on the authorization server."

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content