By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can you create an Application Load Balancer (ALB) listener rule based on user claims received from an IdP's user-info endpoint when authenticating users with an ALB using Cognito?

1

I'm planning a multi-domain application and would like to use a single Application Load Balancer to route traffic to each domain. Each application/domain is a distinct target for the ALB, with custom listener rules to route traffic based on host headers. I'd also like to offload authentication to the ALB using AWS Cognito, as documented here.

I'm aware that user claims after authentication will be forwarded to each of my applications in x-amzn-oidc-data HTTP header and that I can parse that data within my applications to perform authorization based upon those claims. My question is if I can create a listener rule for the ALB based upon those claims. For instance, if a user is not in the admin user group of my Cognito user pool, I'd like to create an ALB listener rule that denies access to one or more of my domains/applications. Is this possible? The documentation on ALB listener rules mentions a rule for HTTP headers, but it's unclear to me if user claims will be in those headers for evaluation.

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoApplication Load Balancer
Language
English
whileTrue
asked a year ago489 views
1 Answer
0

Hello @whileTrue

To configure an Application Load Balancer and an Amazon Cognito user pool to authenticate your application users, complete the following steps.

Create an Application Load Balancer Note: If you already configured an Application Load Balancer, then proceed to the next section.

  1. Create an internet-facing Application Load Balancer.

  2. Create an HTTPS listener for your Application Load Balancer.

Note: Only HTTPS listeners support the authenticate-cognito and authenticate-oidc rule action types.

Get the DNS name of your Application Load Balancer

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

  2. In the navigation pane, under Load Balancing, choose Load Balancers.

  3. Select your Application Load Balancer.

  4. On the Description tab, copy and save your load balancer's DNS name. Use this DNS name to access your Application Load Balancer's endpoint URL for testing.

Create and configure an Amazon Cognito user pool

  1. Create an Amazon Cognito user pool with an app client. When you configure the app client, select the Generate a client secret radio button.

For more information, see Prepare to use Amazon Cognito.

Note: When you create the user pool, configure the settings that you want for production. After you create the user pool, you can't change some user pool settings. For example, you can't change the required standard attributes for user registration.

  1. Open the Amazon Cognito console.

  2. In the navigation pane, choose User pools, and then select your user pool. Copy and save the User pool ID. Use this ID to configure your Application Load Balancer for user authentication.

  3. Choose the App integration tab for your user pool, and then add a domain for your user pool.

  4. From the App integration tab for your user pool, navigate to the App clients and analytics section. Then, select your app client.

  5. On the app client page, under App client information, copy and save the Client ID. Use this ID to configure your Application Load Balancer for user authentication.

  6. In the Hosted UI section, choose Edit.

  7. Choose Add callback URL, and then enter https://loadBalancerDNSName/oauth2/idpresponse.

-or-

If you used a CNAME record to map a custom domain to your Application Load Balancer, then enter https://CNAME/oauth2/idpresponse.

Note: Replace loadBalancerDNSName with the DNS name that you copied from the Amazon EC2 console. If you're using a CNAME record, then replace CNAME with your custom domain.

  1. Choose Add sign-out URL, and then enter a URL that you want to redirect your users to after they sign out. For testing, you can enter any valid URL, such as https://example.com/.

  2. For Identity providers, select the Cognito user pool check box.

  3. Under OAuth 2.0 grant types, select the Authorization code grant check box. Select any additional OAuth grant types according to your requirements.

  4. Under OpenID Connect scopes, select the OpenID check box. The OpenID scope returns an ID token. Select any additional OpenID Connect (OIDC) scopes according to your requirements.

  5. Choose Save changes.

For more information, see Configuring a user pool app client and Adding user pool sign-in through a third party.

Configure your Application Load Balancer

  1. Open the Amazon EC2 console.

  2. In the navigation pane, under Load Balancing, choose Load Balancers.

  3. Select your Application Load Balancer.

  4. On the Listeners tab, select the HTTPS listener default rule that you want to update, and then choose Actions, Manage rules.

  5. Edit the HTTPS listener default rule with the following settings:

For THEN, choose Add action. Choose Authenticate. For Authenticate, choose Amazon Cognito. For the user pool, enter the User pool ID that you copied from the Amazon Cognito console. For the app client, enter the Client ID that you copied from the Amazon Cognito console. Expand Advanced settings. For Scope, enter the scopes that you configured for your user pool app client, separated by spaces. You can find the scopes in your user pool's OIDC configuration. For example, if the scopes_supported value in the configuration is ["openid","email","phone","profile"], then enter openid email phone profile. Choose the check mark icon. 6. Continue editing the HTTPS listener default rule with the following settings:

For THEN, choose Add action. Note: If you can't choose Add action, then use the trash can icon to delete the existing routing action, such as Redirect to. Then, try again. Choose Forward to. For Forward to, choose one or more target groups. (Optional) Configure Group-level stickiness. Choose the check mark icon. 7. Choose Update to update the HTTPS listener default rule.

Test the setup In your web browser, enter one of the following URLs:

https://loadBalancerDNSName/ https://CNAME/ Note: Replace loadBalancerDNSName with the DNS name that you copied from the Amazon EC2 console. Or, replace CNAME with your custom domain. You're redirected to the Amazon Cognito hosted web UI for your user pool. After users sign in and the user pool authenticates them, the users are redirected to the target.

refer- https://repost.aws/knowledge-center/cognito-user-pool-alb-authentication

If the Answer is helpful, please click Accept Answer and up-vote, so that it can help others in the community looking for help on similar topics.

profile picture
learn2skills
answered a year ago
  • whileTrue
    a year ago

    Although I appreciate the detail in your answer, you've neglected the crux of my question: how can you make an ALB listener rule based on the cognito user group?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content