By using AWS re:Post, you agree to the Terms of Use

Retrieve access token after logging in to ALB with Cognito


We have our web app and backend services running in a VPC. It is reachable through an Application Load Balancer (ALB) which requires login through the hosted UI with a Cognito user pool. After logging in, any request send through the ALB gets an access token added in the X-Amzn-Oidc-Data header which is good. However for our websocket connection to the backend, we need to specify any relevant data in the connectionParams client-side. I see two possible solutions but I am not sure about the implementation:

  1. After logging in with the hosted UI, the AWSELBAuthSessionCookie is set in the browser. If I could exchange that client-side for an access_token, I could just add the token to the connectionParams. However for the token endpoint, I would need the client_id and the client_secret, but I just have the cookie at that point.
  2. Another approach might be to intercept the onConnect request via websockets in a reverse proxy behind the ALB and take the automatically added header X-Amzn-Oidc-Data and write it to the connectionParams. But I am somewhat out of my depth on websocket to know how to do that.

Could anyone help me with option 1 or 2?