By using AWS re:Post, you agree to the AWS re:Post Terms of Use

ALB Cookie expirations that does not bring user to a proper login screen

0

Currently I have a system configuration that uses ALB and Cognito, that all backend services are behind ALB, and Cognito is used to obtain authentication from a separate corporate AD. Basically all the token/session expiries are left with the default values.

Now we run into a problem. Oftentimes, the user see a "401 Not Authorized" message on the screen when the application is put aside for a while. The URL being shown is the Token endpoint of Cognito (here we use <domain>/oauth2/idpresponse) plus the auth code info after that part of URL. According to the user, he recovered the app by removing the whole part of the URL starting from "/oauth2/idpresponse/...".

We tried to reproduce the issue by manually expiring the AWSELB session cookies in the browser. If it is done long enough after the initial log in, we will be able to reproduce the exact same issue - the 401.

According to the auth flow indicated by the AWS docs (https://aws.amazon.com/blogs/networking-and-content-delivery/security-best-practices-when-using-alb-authentication/?t), I believe it is a case when the user is deemed unauthenticated and was redirected to the Token endpoint, and that endpoint returned a 401. That is, among the step 3-4 in the "ALB authentication flow" section of this doc. In this case, the question would be - why is the Token endpoint rejecting the request? In this case when the session cookie is expired (either manually or automatically), it should go through the auth process from step 1. However, we don't see a login screen showing up again, but a direct jump to the Token endpoint URL and a 401.

More info to provide - sometimes, when the session cookies are manually expire, we do see that it is not necessarily going to 401 in some cases. We see the cookies being regenerated again, and the application can be used as normal. What I don't understand though is, again, even the cookies are expired, the user session does not seem to be an unauthenticated one - i.e. it doesn't seem to go through the step 1 again, but instead, running through all the steps afterwards and getting the cookies and relevant accesses automatically.

FYI, the workstations accessing the web app are within a corporate environment.

This is such a mysterious case. Any help, or any insight, will be greatly appreciated!

1 Answer
0

The issue you're experiencing with the ALB (Application Load Balancer) and Cognito authentication setup is complex and involves several components of the authentication flow. Let's break down the problem and provide some insights:

  1. 401 Unauthorized Error: When users see a "401 Not Authorized" message with the Cognito token endpoint URL (/oauth2/idpresponse), it suggests that the authentication flow is failing at the token exchange step. This could happen if the authorization code has expired or is invalid when the ALB tries to exchange it for tokens.

  2. Session Cookie Expiration: The fact that manually expiring the AWSELB session cookies reproduces the issue indicates that the problem is related to session management. When these cookies expire, the ALB should initiate a new authentication flow, starting from step 1 of the process.

  3. Inconsistent Behavior: The inconsistent behavior you're observing (sometimes getting a 401, sometimes regenerating cookies automatically) could be due to timing issues or race conditions in the authentication flow. It's possible that in some cases, the refresh token is still valid and being used to obtain new access tokens silently.

  4. Corporate Environment Factors: Since the workstations are within a corporate environment, there might be network configurations, proxies, or security measures interfering with the authentication flow. These could potentially cause issues with redirects or cookie handling.

Possible explanations and solutions:

  1. Token Expiration Mismatch: Ensure that the expiration times for ALB authentication session, Cognito tokens, and your corporate AD tokens are aligned properly. Mismatched expiration times can lead to scenarios where one component thinks the session is valid while another doesn't.

  2. Refresh Token Usage: Implement a mechanism to use refresh tokens to silently renew the session before the access token expires. This can help prevent the need for a full re-authentication flow.

  3. Error Handling: Improve error handling in your application to catch authentication failures and redirect users to the login page instead of showing a 401 error.

  4. Session Extension: Consider implementing a session extension mechanism that warns users before their session expires and allows them to extend it without a full re-login.

  5. ALB Configuration: Review your ALB authentication rules and ensure they're configured to handle unauthenticated requests properly, redirecting to the login page when necessary.

  6. Cognito Settings: Check your Cognito user pool settings, particularly the token expiration times and refresh token usage.

  7. Network Analysis: Conduct a thorough network analysis to ensure there are no corporate network policies or configurations interfering with the authentication flow.

To resolve the issue:

  1. Implement proper session management and token refresh mechanisms in your application.
  2. Adjust token expiration times to better suit your use case.
  3. Improve error handling to gracefully redirect users to the login page when authentication fails.
  4. Consider implementing a session extension feature to prevent unexpected logouts.
  5. Review and potentially adjust your ALB and Cognito configurations to ensure they align with your authentication requirements.

By addressing these points, you should be able to improve the user experience and resolve the mysterious behavior you're encountering.
Sources
Security best practices when using ALB authentication | Networking & Content Delivery
The hosted UI sign-in endpoint: /login - Amazon Cognito
Authenticate users using an Application Load Balancer - Elastic Load Balancing
Need to warn user prior to cognito session expiration | AWS re:Post
The token revocation endpoint - Amazon Cognito

profile picture
answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions