By using AWS re:Post, you agree to the AWS re:Post Terms of Use

(resolved) Why am I getting a 401 error when signing in from Cognito's hosted UI?

0

Thank you for all your help.

I would appreciate it if you could tell me if you know about the following events.

【Question】
Why do I get a 401 Authorization Required error when signing in from Cognito's hosted UI when integrating Cognito and ALB?

【Specific situation】
We have verified the integration between Cognito and ALB following the procedure in the following blog. [1]

[1] I added authentication with Cognito to an environment where content is delivered with EC2 and ALB | DevelopersIO
https://dev.classmethod.jp/articles/cognito-alb-secret/

The procedure itself was all successful, but I had a personal concern.
That is, what would be the behavior if I signed in from Cognito's hosted UI instead of accessing the ALB's domain?

I actually created a user in Cognito and clicked the "View Hosted UI" button from the Cognito console.

The sign-in page appeared, so I signed in as a Cognito user and changed my password.

However, the screen that appeared after the password change showed only 401 Authorization Required.

After that, I tried accessing the ALB domain, and this time the EC2 page behind ALB was displayed correctly.

This does not happen when signing in at the ALB domain, but only when accessing from the Cognito hosted UI.

[Regarding the attached file]
・401 Authorization Required screen
Enter image description here

・Button to display Cognito's hosted UI
Enter image description here

・Allowed callback URLs Enter image description here

We would be grateful if you could enlighten us on the above.

profile picture
asked 2 years ago5.1K views
3 Answers
2
Accepted Answer

As per the following documentation[1], the authentication flow for when authenticating a website, the Application Load Balancer is expecting the user to hit the load balancer first. ALB Authentication works by defining an authentication action in a listener rule. The ALB's authentication action will check if a session cookie exists on incoming requests, then check that it's valid. If the session cookie is set and valid then the ALB will route the request to the target group with X-AMZN-OIDC-* headers set. The headers contain identity information in JSON Web Token (JWT) format, that a backend can use to identify a user. If the session cookie is not set or invalid then ALB will follow the OIDC protocol and issue an HTTP 302 redirect to the identity provider. At this point the Authentication flow will be followed and the Session cookie will be updated with the lastest authentication information.

You can also review the following blog post[2] for a more detailed breakdown on how Application Load Balancer authentication works.

To answer your question "That is, what would be the behavior if I signed in from Cognito's hosted UI instead of accessing the ALB's domain?", as the client has not initially tried to access your website, the Load Balancer is not aware of where the client is trying to access behind the load balancer and the request will be unexpected. The Load Balancer "oauth2/idpresponse" endpoint exists to handle the Auth Code Exchange with the Cognito Token endpoint, and forward to client back to the original URI once the communication between Cognito and the Load Balancer is complete.


[1] Authenticate users using an Application Load Balancer - Authentication flow - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-flow

[2] Simplify Login with Application Load Balancer Built-in Authentication - https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/

AWS
SUPPORT ENGINEER
answered 2 years ago
profile picture
EXPERT
reviewed 5 months ago
  • Thank you for your response.

    Your very detailed explanation helped me to understand. I understood that the Hosted UI is not supposed to be accessed directly, and therefore it is an error.

    We will close this case with what you have explained. Thank you very much.

0

This is a good explanation but there is another issue related to this, when you logout using redirect uri method as described here https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

GET https://mydomain.auth.us-east-1.amazoncognito.com/logout?
   response_type=code&
   client_id=ad398u21ijw3s9w3939&
   redirect_uri=https://YOUR_APP/redirect_uri&
   state=STATE&
   scope=openid+profile+aws.cognito.signin.user.admin 

This does redirect to login page, but signin in from here redirects you to https://<DOMAIN>/oauth2/idpresponse?code=<XXXXXXXXXXXXX>&state=STATE And it shows 401.

While if you go to your domain, it will show the logged in page secured with ALB. If you logout and go to the domain with ALB, it does takes you to login page and from there you can login just fine.

Earlier when I set it up, the login was working from logout page as well as hosted UI page. But now it's not working from hosted UI or logout redirect uri page. But working fine with ALB.

We don't need to use the hosted UI, but users do wanna re login after logout.

Can you please tell me what could be the issue.

answered 2 years ago
0
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions