Can ALB forward Authorization: Bearer tokens in HTTP(S) request to backend rather than x-amzn-oidc-accesstoken?
The context is enabling authenticated and authorized access to Kubernetes Dashboard in an AWS EKS instance via an AWS ALB configured with OIDC authenticate.
The Kubernetes Dashboard is being protected by an AWS ELBv2 load balancer. It is created and configured by Ingress resource and the ALB Controller v2 (v2.2.3). This works. FWIW: We are Azure AD as the IdP.
We are also using the OIDC Provider configuration on the Kubernetes (EKS) API. We are successfully using OIDC authenticated access from kubectl to access the API and apply RBAC. We are using ClusterRoleBinding to test with Cluster Admin users.
However, the Kubernetes Dashboard still presents its internal token challenge page, because it does not get the Access Token, because the ALB removed it and put it in the
We had some success with:
alb.ingress.kubernetes.io/configuration-snippet: auth_request_set $token $upstream_http_authorization; proxy_set_header Authorization $token; proxy_pass_header Authorization;
Is this the best way to do this?
Is there a better way to configure the ALB to attach the Access Token it obtained from the IdP's token endpoint as an
Authorization: Bearer <token>, rather than in a separate header?
Hello, thanks for reaching out!
Currently there is no configuration option change how the ALB utilizes the x-amzn-oidc-* header set for auth tokens. As a result, the solution you have utilized in proxying the Authorization tokens will be the best workaround available.
Forward request to multiple destinationasked 2 months ago
Can ALB forward Authorization: Bearer tokens in HTTP(S) request to backend rather than x-amzn-oidc-accesstoken?asked 2 months ago
How to make ALB seamlessly re-forward to a healthy target?asked 16 days ago
External IDP Tokens in Cognito User Poolsasked 18 days ago
User Pools and Access Tokensasked 2 months ago
bad request in authorization code flowasked a year ago
How can I revoke tokens created through Cognito oauth/token url?asked 2 months ago
Can you edit the data in an Amazon QuickSight dashboard after it's published?Accepted Answerasked a year ago
Unauthenticated Access to Maps Not Working But Authenticated Access isAccepted Answerasked 9 months ago
In AWS Amplify UI React after Login how to redirect to dashboard path login button in home page in react in different pageasked a month ago