- Newest
- Most votes
- Most comments
As per the following documentation[1], the authentication flow for when authenticating a website, the Application Load Balancer is expecting the user to hit the load balancer first. ALB Authentication works by defining an authentication action in a listener rule. The ALB's authentication action will check if a session cookie exists on incoming requests, then check that it's valid. If the session cookie is set and valid then the ALB will route the request to the target group with X-AMZN-OIDC-* headers set. The headers contain identity information in JSON Web Token (JWT) format, that a backend can use to identify a user. If the session cookie is not set or invalid then ALB will follow the OIDC protocol and issue an HTTP 302 redirect to the identity provider. At this point the Authentication flow will be followed and the Session cookie will be updated with the lastest authentication information.
You can also review the following blog post[2] for a more detailed breakdown on how Application Load Balancer authentication works.
To answer your question "That is, what would be the behavior if I signed in from Cognito's hosted UI instead of accessing the ALB's domain?", as the client has not initially tried to access your website, the Load Balancer is not aware of where the client is trying to access behind the load balancer and the request will be unexpected. The Load Balancer "oauth2/idpresponse" endpoint exists to handle the Auth Code Exchange with the Cognito Token endpoint, and forward to client back to the original URI once the communication between Cognito and the Load Balancer is complete.
[1] Authenticate users using an Application Load Balancer - Authentication flow - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-flow
[2] Simplify Login with Application Load Balancer Built-in Authentication - https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/
This is a good explanation but there is another issue related to this, when you logout using redirect uri method as described here https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html
GET https://mydomain.auth.us-east-1.amazoncognito.com/logout?
response_type=code&
client_id=ad398u21ijw3s9w3939&
redirect_uri=https://YOUR_APP/redirect_uri&
state=STATE&
scope=openid+profile+aws.cognito.signin.user.admin
This does redirect to login page, but signin in from here redirects you to https://<DOMAIN>/oauth2/idpresponse?code=<XXXXXXXXXXXXX>&state=STATE And it shows 401.
While if you go to your domain, it will show the logged in page secured with ALB. If you logout and go to the domain with ALB, it does takes you to login page and from there you can login just fine.
Earlier when I set it up, the login was working from logout page as well as hosted UI page. But now it's not working from hosted UI or logout redirect uri page. But working fine with ALB.
We don't need to use the hosted UI, but users do wanna re login after logout.
Can you please tell me what could be the issue.
hi, bro: I encountered the same problem, How can I. solve it, thanks
Relevant content
- asked 10 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
Thank you for your response.
Your very detailed explanation helped me to understand. I understood that the Hosted UI is not supposed to be accessed directly, and therefore it is an error.
We will close this case with what you have explained. Thank you very much.