Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito OAuth /oauth2/authorize flow broken when using CloudFront in front of ALB

0

Hi everyone,

I have the following setup:

User → CloudFront → ALB → Application (Cognito authentication enabled)

Issue

When initiating the Cognito login flow via:

/oauth2/authorize

the request goes through CloudFront and is forwarded to the ALB origin. This breaks the authentication flow (redirects/cookies not behaving correctly).

The issue only occurs when CloudFront is in front of the ALB.

Expected behavior

I need the OAuth flow (/oauth2/authorize, /oauth2/token, /oauth2/idpresponse) to function correctly with Cognito authentication, without CloudFront interfering with the redirect/cookie flow.

What I tried

  • Verified ALB works correctly when accessed directly (bypassing CloudFront)
  • Configured CloudFront origin pointing to ALB
  • Tested path-based behavior (/oauth2/*) but CloudFront still affects the flow
  • Confirmed issue is specific to CloudFront layer

Question

What is the recommended AWS architecture or configuration to support Cognito authentication behind CloudFront + ALB?

Is it possible or supported to bypass CloudFront for /oauth2/* paths, or is a separate domain/subdomain required for authentication endpoints?

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudFrontElastic Load BalancingAmazon Cognito
Language
English
asked 2 months ago39 views
1 Answer
0

Hello.

Have you already reviewed the information in the following document?
You will need to configure CloudFront to forward all request headers to the origin server.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#cloudfront-requirements

Prepare to use Amazon CloudFront
Enable the following settings if you are using a CloudFront distribution in front of your Application Load Balancer:

  • Forward request headers (all) — Ensures that CloudFront does not cache responses for authenticated requests. This prevents them from being served from the cache after the authentication session expires. Alternatively, to reduce this risk while caching is enabled, owners of a CloudFront distribution can set the time-to-live (TTL) value to expire before the authentication cookie expires.
  • Query string forwarding and caching (all) — Ensures that the load balancer has access to the query string parameters required to authenticate the user with the IdP.
  • Cookie forwarding (all) — Ensures that CloudFront forwards all authentication cookies to the load balancer.
  • When configuring OpenID Connect (OIDC) authentication in conjunction with Amazon CloudFront, ensure that HTTPS port 443 is consistently used throughout the entire connection path. Otherwise, authentication failures can occur because the client OIDC redirect URLs do not match the port number of the originally generated URI.

If the above method does not resolve the issue, you can also configure Lambda@Edge on CloudFront and perform authentication using Cognito, so please check that out as well.
https://github.com/awslabs/cognito-at-edge

EXPERT
answered 2 months ago
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content