By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AuthTokenEpRequestFailed on ALB when integrating with corporate OIDC provider

0

Hi, we try to to integrate an ALB with our own OIDC provider (which again is behind an NLB/ALB in different VPC + AWS account, but with public IP and DNS) as described here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#oidc-requirements

When requesting the protected URL, the ALB redirects us to configured AuthorizationEndpoint. After entering credentials we are redirected back to the ALB but getting an 500 HTTP status code. We enabled access log of ALB, but we only get an error_reason "AuthTokenEpRequestFailed". Regarding the docs (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-log-entry-format) this means "There is an error response (non-2XX) from the token endpoint."

But we don't see any access logs on the token endpoint of the OIDC provider. We also don't see any log entries on the ALB of the OIDC provider.

Is there anything else we can do to get more information what goes wrong ? How to get the more information on the failed request, that the ALB is executing (url, response code....) ?

Topics
Networking & Content Delivery
Tags
Elastic Load Balancing
Language
English
tgunsch
asked 3 months ago305 views
2 Answers
0

Hello,

HTTP 500 error will occur in this setup if the load balancer is unable to communicate with the IdP token endpoint or the IdP user info endpoint

The following would be my recommendation to troubleshoot this issue:

  1. Verify that the IdP's DNS is publicly resolvable.

  2. Verify that the security groups for your load balancer and the network ACLs for your VPC allow outbound access to these endpoints.

  3. Verify that your VPC has internet access. If you have an internal-facing load balancer, use a NAT gateway to enable internet access.

You can also check metrics like ELBAuthError, ELBAuthFailure under "AWS/ApplicationELB” namespace for more information.

AWS
SUPPORT ENGINEER
Shubham_T
answered 3 months ago
0

Hi,

thanks for your answer. Yes we checked them all:

  1. The IdP DNs is resolveable from internet (we have an ALB with public IP's in front) and also the tls certificate is valid.
  2. We checked this by changing the oidc configuration of the ALB from our own IDP to our corporate IDP (which is internet facing). With the corpororate IDP the setup is working.
  3. Yes, the VPC has internet access.

What we also encounter: In the Monitoring View of the IDP-ALB (i.e. the ALB in front of our own IDP), we see "Client TLS Negotiation Errors". Are there any requirements regarding the Certificate of the IDP aside that it must be a "public" Certificate ? Any restrictions key length ?

tgunsch
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content