By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Retrieve access token after logging in to ALB with Cognito

0

We have our web app and backend services running in a VPC. It is reachable through an Application Load Balancer (ALB) which requires login through the hosted UI with a Cognito user pool. After logging in, any request send through the ALB gets an access token added in the X-Amzn-Oidc-Data header which is good. However for our websocket connection to the backend, we need to specify any relevant data in the connectionParams client-side. I see two possible solutions but I am not sure about the implementation:

  1. After logging in with the hosted UI, the AWSELBAuthSessionCookie is set in the browser. If I could exchange that client-side for an access_token, I could just add the token to the connectionParams. However for the token endpoint, I would need the client_id and the client_secret, but I just have the cookie at that point.
  2. Another approach might be to intercept the onConnect request via websockets in a reverse proxy behind the ALB and take the automatically added header X-Amzn-Oidc-Data and write it to the connectionParams. But I am somewhat out of my depth on websocket to know how to do that.

Could anyone help me with option 1 or 2?

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon CognitoElastic Load BalancingSecurityApplication Load Balancer
Language
English
Simon
asked 2 years ago208 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content