By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ALB with Authenticate action Cognito Flow - seems correct?

0

  1. Forntend Vue.js app makes request to ALB - HTTPS listener with authenticate action set on protected route /admin/* redirects user to Cognito Hosted UI.

  2. User is prompted to enter username and password. Under the hood the Hosted UI calls the InitiateAuth API endpoint - and this returns a Session Cookie / and sets some headers on the request.

  3. The callback URL in the Cognito ClientApp for the user pool i set as the www.alb-domain.com/oauth2/idpresponse - this time the ALB can see the rquest has the auth credentials and forwards the request to the target group.

  4. The backend app inside the target group has middleware set up that protects the /admin/* route - here the middleware carries out validation of the token in request headers.

  5. Once validation successful the backend app returns a Status 200 OK - and the Vue.js frontend app then loads the admin dashboard.

  6. Subsequent requests made by the admin from the admin dashboard will be authenticated and won't need to go through the above process for the duration of the session cookie.

Or should I be logging in the user on the frontend to the admin dashboard as soon as the Cognito Authenticate action at the ALB successfully authenticates?

Topics
ComputeSecurity, Identity, & ComplianceContainers
Tags
Website ProvisioningAmazon CognitoAmazon Elastic Container ServiceApplication Load Balancer
Language
English
taxmann
asked 5 months ago224 views
1 Answer
0
Accepted Answer

Your overall approach seems correct, and you've described a common authentication flow using AWS Cognito and an Application Load Balancer (ALB). Let's break down the flow:

  1. ALB with Authenticate Action:

Your ALB is configured with an authentication action, and it redirects requests to the Cognito Hosted UI when accessing the protected route /admin/*. This is a common pattern to enforce authentication before allowing access to specific routes.

  1. Cognito Hosted UI:

The user is prompted to enter their username and password through the Cognito Hosted UI, which internally calls the InitiateAuth API and returns a session cookie and sets headers on the request.

  1. Callback URL:

The callback URL configured in the Cognito Client App for the user pool is set to www.alb-domain.com/oauth2/idpresponse. This is where the ALB receives the authenticated request from Cognito.

  1. Backend App in Target Group:

Your backend app inside the target group has middleware that protects the /admin/* route. The middleware validates the token in the request headers after successful authentication.

  1. Frontend App:

The Vue.js frontend app, upon successful authentication through Cognito, loads the admin dashboard. Subsequent requests made by the admin are authenticated using the session cookie, avoiding the need to go through the entire authentication process again for the duration of the session.

Your approach of deferring the login to the frontend until after the successful Cognito authentication and token validation on the backend is common. This allows you to centralize authentication logic and token management on the backend, providing a more secure and manageable solution.

One thing to consider is handling token refreshes if your session cookies have expiration times. This ensures that users are not suddenly logged out after the session expires.

In summary, your described architecture is in line with common best practices for securing applications with AWS Cognito and an ALB. Make sure to thoroughly test your implementation and consider additional security measures like HTTPS, secure cookie attributes, and handling token refreshes based on your application's requirements.

profile pictureAWS
Renato
answered 5 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • taxmann
    5 months ago

    Thank you so much for confirming the general approach is correct Renato! It's my first time setting up Cognito for work so I wanted to make sure I'm doing the right thing, and you have re-assured me so I'm at peace now!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content