Authentication on


Application Load Balancer

ALB Auth

This site has the 'Authenticate' action on every rule with the 'allow' setting for unauthenticated requests. This means every request that is authenticated will include the information of that user from the OIDC provider. It has a rule for the path '/auth' with 'Authenticate' on it and 'authenticate' as the action for unauthenticated users. The server code is a simple application which looks for the 'X-Amzn-Oidc-Data' HTTP header, which is included by the ALB. It extracts that info, verifies the signature, and includes it in response processing. This site doesn't do anything beyond check if you're logged in or not and then display the keys and their values contained in the data.

ALB Authentication Workflow for OIDC IdPs:

  1. User sends HTTP request to a website hosted behind Auth enabled ALB
  2. ALB checks for session cookie and redirects the user to IdP if session cookie is missing
  3. After authenticating with IdP, user returns to ALB with Authentication CODE
  4. ALB to authenticate the CODE
  5. ALB receives JWT (ID token, Access Token)
  6. ALB to send access token
  7. ALB receives user info(claims)
  8. ALB redirects to original URI with AWSELBAuthSessionCookie
  9. User requests new URI with AWSELBAuthSessionCookie
  10. ALB validates details, and forward user info to the backends in the HTTP“X-AMZN-OIDC-*” headers set
  11. Backends send response back to the user
  12. ALB sends final response to client

Resources:

We also have cats

Cat

Blog Post

Read the Blog Post from the launch of Authentication on Application Load Balancer