ALB Auth

This site has the 'Authenticate' action on every rule with the 'allow' setting for unauthenticated requests. This means every request that is authenticated will include the information of that user from the OIDC provider. It has a rule for the path '/auth' with 'Authenticate' on it and 'authenticate' as the action for unauthenticated users. The server code is a simple application which looks for the 'X-Amzn-Oidc-Data' HTTP header, which is included by the ALB. It extracts that info, verifies the signature, and includes it in response processing. This site doesn't do anything beyond check if you're logged in or not and then display the keys and their values contained in the data.

Previous Next

ALB Authentication Workflow for OIDC IdPs:

1. User sends HTTP request to a website hosted behind Auth enabled ALB
2. ALB checks for session cookie and redirects the user to IdP if session cookie is missing
3. After authenticating with IdP, user returns to ALB with Authentication CODE
4. ALB to authenticate the CODE
5. ALB receives JWT (ID token, Access Token)
6. ALB to send access token
7. ALB receives user info(claims)
8. ALB redirects to original URI with AWSELBAuthSessionCookie
9. User requests new URI with AWSELBAuthSessionCookie
10. ALB validates details, and forward user info to the backends in the HTTP“X-AMZN-OIDC-*” headers set
11. Backends send response back to the user
12. ALB sends final response to client

Resources:

• ALB Authentication Documentation
• ALB Authentication Blog Post
• API references, new data types:
  • AuthenticateCognitoActionConfig
  • AuthenticateOidcActionConfig
• Elastic Load Balancing
• ALB Pricing