By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

401 Authorization Required when forwarding to the callback url assign in the Cognito

0

Hi: I followed the blogs and documents to create a user pool in Cognito, built an Elastic load balancer, created a https:443 listener, and enabled Cognito to Authenticate to my application when visited by HTTPS. and I modified my callback URL like this https://dnsname/oauth2/idpresponse, but when I fill in my username and password, log in then redirect to the callback URL, a 401 error happens,

  1. ELB only have 1 EC2 instance.
  2. https://dns does not have SSL, shows unsafe

doubt:

  1. should I do add any logic code in the route oauth2/idpresponse ? like parsing code and getting the accessKey?

To enable a user to configure a load balancer to use Amazon Cognito to authenticate users, you must grant the user permission to call the cognito-idp:DescribeUserPoolClient action. I see this in the document, but what is the user referring to? where do I assign the permission?

3 4. The load balancer presents the authorization grant code to the IdP token endpoint. 5. Upon receiving a valid authorization grant code, the IdP provides the ID token and access token to the Application Load Balancer. it seems something is wrong here. but I don't know how to solve it.

I appreciate it very much if anyone could give me some suggestions, as I got stuck on this for serval days, thanks a lot.

Jack Enter image description here

Enter image description here

Enter image description here

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon CognitoElastic Load Balancing
Language
English
Kick7spring
asked 8 months ago831 views
1 Answer
0
Accepted Answer

Hello,

Thank you for reaching out on re:Post!!

Firstly, I have reviewed your doubt and would like to respond to your query.

  1. should I do add any logic code in the route oauth2/idpresponse ? like parsing code and getting the accessKey?

--> After the user is authenticated, the IdP sends the user back to the load balancer with an authorization grant code. The load balancer presents the authorization grant code to the IdP token endpoint. Upon receiving a valid authorization grant code, the IdP provides the ID token and access token to the Application Load Balancer. So you do not need to write separate logic, code in the route oauth2/idpresponse.

The Load Balancer "oauth2/idpresponse" endpoint exists to handle the Auth Code Exchange with the Cognito Token endpoint, and forward to client back to the original URI once the communication between Cognito and the Load Balancer is complete.

Once user gets authenticated, session cookie is getting set and ALB will route the request to the target group with X-AMZN-OIDC-* headers set. The headers contain identity information in JSON Web Token (JWT) format, that a backend can use to identify a user.

Please refer Cognito Application load balancer authentication flow in below reference document.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-flow

  1. To enable a user to configure a load balancer to use Amazon Cognito to authenticate users, you must grant the user permission to call the cognito-idp:DescribeUserPoolClient action. I see this in the document, but what is the user referring to? where do I assign the permission?

--> Here user is IAM user or developer who is trying to configure Cognito application load balancer integration. You can assign this permission through IAM.

Secondly, I would like to inform you that "401 Authorization required error", could be because mismatch in below parameter between IDP and ALB. Please make sure below parameters are configured identically on your Application Load Balancer and IdP.

- Issuer
- Authorization endpoint
- Token endpoint
- Client ID/Client Secret

Additionally, Cognito ALB authentication flow requires authentication should start from Load balancer domain name. So please try to access your application from load balancer domain name in browser and then complete the authentication.

Please refer further troubleshooting steps between Cognito and ALB authentication in below reference document.

https://repost.aws/knowledge-center/elb-configure-authentication-alb

I hope this information will be helpful to you.

References :

[1] Cognito ALB authentication flow - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-flow

[2] How do I troubleshoot issues configuring authentication in my Application Load Balancer? - https://repost.aws/knowledge-center/elb-configure-authentication-alb

AWS
SUPPORT ENGINEER
Vishal_J
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content