By using AWS re:Post, you agree to the Terms of Use
/Can ALB forward Authorization: Bearer tokens in HTTP(S) request to backend rather than x-amzn-oidc-accesstoken?/

Can ALB forward Authorization: Bearer tokens in HTTP(S) request to backend rather than x-amzn-oidc-accesstoken?


The context is enabling authenticated and authorized access to Kubernetes Dashboard in an AWS EKS instance via an AWS ALB configured with OIDC authenticate.
The Kubernetes Dashboard is being protected by an AWS ELBv2 load balancer. It is created and configured by Ingress resource and the ALB Controller v2 (v2.2.3). This works. FWIW: We are Azure AD as the IdP.
We are also using the OIDC Provider configuration on the Kubernetes (EKS) API. We are successfully using OIDC authenticated access from kubectl to access the API and apply RBAC. We are using ClusterRoleBinding to test with Cluster Admin users.
Authentication works.
However, the Kubernetes Dashboard still presents its internal token challenge page, because it does not get the Access Token, because the ALB removed it and put it in the X-AMZN-OIDC-* header.
We had some success with:
   auth_request_set $token $upstream_http_authorization;
   proxy_set_header Authorization $token;
   proxy_pass_header Authorization;

Is this the best way to do this? Is there a better way to configure the ALB to attach the Access Token it obtained from the IdP's token endpoint as an Authorization: Bearer <token>, rather than in a separate header?

1 Answers

Hello, thanks for reaching out!

Currently there is no configuration option change how the ALB utilizes the x-amzn-oidc-* header set for auth tokens. As a result, the solution you have utilized in proxying the Authorization tokens will be the best workaround available.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions