I receive an error when I configure authentication in my Application Load Balancer.
Resolution
Misconfigurations with the identity provider (IdP) or Application Load Balancer can cause errors when configuring authentication for the Application Load Balancer. Follow these steps to troubleshoot authentication errors.
redirect_mismatch
If you're using Amazon Cognito, then set the callback URL to https://<domain>/oauth2/idpresponse. If you're using a different IdP, then set the redirect URI to https://<domain>/oauth2/idpresponse.
Note: Replace <domain> with the domain used to access the Application Load Balancer.
HTTP 401: Unauthorized
Configure the following identically on your Application Load Balancer and IdP:
- Issuer
- Authorization endpoint
- Token endpoint
- Client ID/Client Secret
Also, set Action on unauthenticated request to either Allow or Authenticate (client reattempt), based on your use case.
HTTP 500: Internal Server Error
Complete the following steps if you receive an "HTTP 500: Internal Server Error" error:
- Add an outbound rule to allow traffic to the IdP endpoints over HTTPS (port 443).
- Configure the network access control list rules on each Application Load Balancer subnet to allow traffic to and from the IdP endpoints.
For egress rules, specify: Destination IP - Identity provider, Destination port -443 Allow.
For ingress rules, specify: Source IP - Identity provider, Destination port 1024-65535 Allow.
- Configure the route table to include a route for the Application Load Balancer to access the IdP endpoints.
For public Application Load Balancers and public endpoints, configure an internet gateway route for the route table.
For private Application Load Balancers and private endpoints, configure a network address translation (NAT) gateway for the route table. Or, configure a NAT instance route for the IdP.
For other scenarios, configure the route tables of the Application Load Balancer subnets with appropriate route entry to route connectivity to the IdP endpoints.
- Select a valid OAuth2 Grant type. Application Load Balancers support the Authorization code grant to obtain an access token. If an incorrect grant is configured at the IdP, then the Application Load Balancer generates an error.
Additional HTTP error codes
For troubleshooting additional HTTP error codes generated by Application Load Balancers, see The load balancer generates an HTTP error.
Related information
Simplify login with Application Load Balancer built-in authentication
Authenticate users using an Application Load Balancer
Configuring a user pool app client