In the response headers, if you are using SAML to receive AZURE AD info , do you still get the amazon headers x-amzn-oidc* or do you have to use the openid Connect to receive these https response headers? Currently , I get the microsoft login and it authenticates but I need to retrieve the User profile information for my application. The Load balancer or Cognito never gives me the correct headers. Do you have any ideas or articles that I can read on how the container/application can get the user who is signed in?
"After your load balancer authenticates a user successfully, it sends the user claims received from the IdP to the target. The load balancer adds the following HTTP headers: x-amzn-oidc-accesstoken, x-amzn-oidc-identity, x-amzn-oidc-data". You will find the info you are looking for in one of those headers. Here is the article, scroll down to section "User claims encoding and signature verification": docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html Hope this helps.
Cognito service is not available in the region where rest of all my services are, Can I use the ALB to call the cognito service from a different region and serve the purpose, supposing there is no data residency restrictions.
im getting 'Client is not enabled for OAuth2.0 flows.' after the redirection to cognito and entering the credentials.. any idea? my ec2 is elastic beanstalk.. and i used it with ALB.. cognito is defined as described
It is possible that the Allowed OAuth Flows are not set up properly in the App Client Settings of your user pool. Check out 18m46s in the video. Do you have 'Authorization code grand' and 'openid' checked under OAuth 2.0 settings?
Hi, Actually, we are able to do all these processes successfully but once login did from hosted UI then it is returning to our application login page (Can we define our application page). Also, we can not do anything until we have cognito JWT token. Is it possible to get the cognito JWT token from load balancer?
Great vid showing the full process. Thanks for that. I can get it working only with the ALB DNS record. As soon as I try to use a custom domain with a CNAME the /oauth2/idpresponse will return a 500. This despite updating cognito, listeners etc... Did you get it working successfully with a custom domain name? Thanks again
@dbleyou, thanks for the comment. We have this working with a custom domain. But we're using a Route53 A Record (Alias set to "yes"). And the Alias Target points to the ALB DNS (but prepended with "dualstack"). Not sure if this makes a difference. I don't see anything domain name related in the settings, other than a valid ACM SSL cert.
@@robertchen2724 Thanks for the tip but I just got the feedback from AWS support. If the rule has a priority higher than 32000, auth will fail... Talk about a hidden bug. As soon as I reduced the priority it was just fine. :)
Hi @Paul John Argarin, I haven't done this myself. I think you will need to configure your AWS Cognito as OIDC (medium.com/@robert.broeckelmann/openid-connect-authorization-code-flow-with-aws-cognito-246997abd11a). Then in the ALB rules under authorization, you will need to select OIDC instead of Cognito (www.onelogin.com/blog/aws-alb-openid-connect). You can try this out and see if it works. It'd awesome if you let us know of the outcome.
I've got code that deletes the cookies but the headers that contain Data and Access tokens still have the information so expiring the AWSELBAuthSession cookies does not force a re-login. How is this done? In other words, how do you get Cognito to truly expire the session?
Hi @Robert Tomlin, there are two steps for the logout: 1. Set the expiration time of the authentication session cookie to -1 (this is done server side); 2. Redirect the client to the IdP logout endpoint (35:26). AWS recommends to configure the expiration time of the cookie as short as possible for you particular case. Also, checkout this doc about the logout and session timeout: docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-logout-timeout
Call cognito's globalsignout api call from your application which will invalidate pr revoke the access token and then use your script to clear token which will work.
Ekaterina Ryabtseva No. Now I’m able to get the login page but only if HTTP is allowed in the ALB SG. When I try to force access through the ALB using HTTPS it doesn’t work.
I do have another question......is it possible to force authentication to multiple pages with this current architecture? In other words have more than one secret page.
Hello @lmlvespa1234, you will have to clear the authentication session cookie and redirect to the IdP logout endpoint from your back end application (we tried it with front end javascript and it didn't work).
@@ThornTechnologies Got it. Auth Session id is a Http Cookie so can't delete it from Javascript. Did it from backend and it worked. Thanks for your help
There are two steps for the logout: 1. Set the expiration time of the authentication session cookie to -1 (this is done server side); 2. Redirect the client to the IdP logout endpoint (35:26).
Hello! Are you getting this error when trying to log in? The problem is most likely in the callback URL (18m40s). The callback URL has the following structure: DNS/oauth2/idpresponse where DNS is the domain name of your application load balancer. You will also need to make sure that under the Allowed OAuth Flows, the Authorization code grant is checked along with the openid scope. Let us know if you are still having issues with this error.
@@ThornTechnologies Actually I got it right after that. I am using a custom domain name to pass the request through the LB, so call back should use the custom domain name instead of the LB DNS name. Any how thanks for the reply. I have got another concern there is a optional parameter option, as key value pair, while creating authentication in the rules for listeners, what is the use of that option?
WARNING: if you enabled required attributes you can't later change your mind. If you are already in production then bad luck... you will have to learn about migration lambda functions. It's not fun just to disable require phone_number. If you plan to you sign in with Facebook do NOT enable require phone_number,
The problem might be the callback url in the user pool's app client settings. Take a look at 18m40s in the video. The callback URL has the following structure: DNS/oauth2/idpresponse where DNS is the domain name of your application load balancer. Note that https is required. After a successful sign-in, the user will be redirected to that url. Let us know if you are still having errors.
@@ThornTechnologies Still Facing the issue. Have checked the callback URL and it has the complete path including /outh2/idpresponse What else can be the issue?
Amazingly explained and worked like a charm for me. Thanks a lot, Kate!
Great to hear!
You are the BEST, what a professional presenter, love to see again and agin,
very one tutorial and like the way you presented in simplistic way.
In the response headers, if you are using SAML to receive AZURE AD info , do you still get the amazon headers x-amzn-oidc* or do you have to use the openid Connect to receive these https response headers? Currently , I get the microsoft login and it authenticates but I need to retrieve the User profile information for my application. The Load balancer or Cognito never gives me the correct headers. Do you have any ideas or articles that I can read on how the container/application can get the user who is signed in?
This is great! how do you use it for a Streamlit application behind an ALB using Okta SAML? I keep getting error
Cognito is trying to redirect me to an unexpected page after signing in, it goes to /oauth2/idpresponse? Any idea what could be going wrong?
Thanks a lot
Most welcome. Thanks for checking it out.
Does this apply to the API calls ?
Great tutorial :) Is there a way to get the username of the logged in user?
"After your load balancer authenticates a user successfully, it sends the user claims received from the IdP to the target. The load balancer adds the following HTTP headers: x-amzn-oidc-accesstoken, x-amzn-oidc-identity, x-amzn-oidc-data". You will find the info you are looking for in one of those headers. Here is the article, scroll down to section "User claims encoding and signature verification": docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
Hope this helps.
@@kateryabtseva2406 This is helpful
Perfect! Saved me allot of time!
So glad to hear that! Thanks for letting us know.
Cognito service is not available in the region where rest of all my services are, Can I use the ALB to call the cognito service from a different region and serve the purpose, supposing there is no data residency restrictions.
I am not sure, I suppose it's something you can experiment with.
im getting 'Client is not enabled for OAuth2.0 flows.' after the redirection to cognito and entering the credentials..
any idea?
my ec2 is elastic beanstalk.. and i used it with ALB.. cognito is defined as described
It is possible that the Allowed OAuth Flows are not set up properly in the App Client Settings of your user pool. Check out 18m46s in the video. Do you have 'Authorization code grand' and 'openid' checked under OAuth 2.0 settings?
Hi,
Actually, we are able to do all these processes successfully but once login did from hosted UI then it is returning to our application login page (Can we define our application page). Also, we can not do anything until we have cognito JWT token. Is it possible to get the cognito JWT token from load balancer?
Hi @Keshav Phine. The ALB sends X-Amzn-Oidc-* headers to the application. In those headers you will find user identifier, access token, and JWT.
Great vid showing the full process. Thanks for that. I can get it working only with the ALB DNS record. As soon as I try to use a custom domain with a CNAME the /oauth2/idpresponse will return a 500. This despite updating cognito, listeners etc... Did you get it working successfully with a custom domain name? Thanks again
@dbleyou, thanks for the comment. We have this working with a custom domain. But we're using a Route53 A Record (Alias set to "yes"). And the Alias Target points to the ALB DNS (but prepended with "dualstack"). Not sure if this makes a difference. I don't see anything domain name related in the settings, other than a valid ACM SSL cert.
@@robertchen2724 Thanks for the tip but I just got the feedback from AWS support. If the rule has a priority higher than 32000, auth will fail... Talk about a hidden bug. As soon as I reduced the priority it was just fine. :)
@@dbleyou Thanks for sharing the solution. The limit on the rule priority is good to know -- I never would have figured that one out.
@@dbleyou Where do you adjust the priority in the console?
Marlon McBride through the CLI. It’s not exposed in the GUI.
Do you think there's a way to authenticate Users from a UserPool in another AWS account (i.e., cross account authentication)?
Hi @Paul John Argarin, I haven't done this myself. I think you will need to configure your AWS Cognito as OIDC (medium.com/@robert.broeckelmann/openid-connect-authorization-code-flow-with-aws-cognito-246997abd11a). Then in the ALB rules under authorization, you will need to select OIDC instead of Cognito (www.onelogin.com/blog/aws-alb-openid-connect). You can try this out and see if it works. It'd awesome if you let us know of the outcome.
I've got code that deletes the cookies but the headers that contain Data and Access tokens still have the information so expiring the AWSELBAuthSession cookies does not force a re-login. How is this done? In other words, how do you get Cognito to truly expire the session?
Hi @Robert Tomlin, there are two steps for the logout:
1. Set the expiration time of the authentication session cookie to -1 (this is done server side);
2. Redirect the client to the IdP logout endpoint (35:26).
AWS recommends to configure the expiration time of the cookie as short as possible for you particular case.
Also, checkout this doc about the logout and session timeout: docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-logout-timeout
Call cognito's globalsignout api call from your application which will invalidate pr revoke the access token and then use your script to clear token which will work.
If you have any doubts
You can reach out to me @ v.lokeshkumar99@gmail.com
Hello. I keep getting either a 500 or 503 error when navigating to the ALB site. Any recommendations?
Hi Marlon, are you still experiencing this issue?
Ekaterina Ryabtseva No. Now I’m able to get the login page but only if HTTP is allowed in the ALB SG. When I try to force access through the ALB using HTTPS it doesn’t work.
Hi Kate. I was able to get it working tonight. I guess a vacation is all it takes sometimes. 😂 Thanks for taking the time to help me.
I do have another question......is it possible to force authentication to multiple pages with this current architecture? In other words have more than one secret page.
@@marlonmcbride6293 Yeah, you just need to specify the paths in your alb rules (23:57).
For the sign out, how can I set the expiration date to -1 . Is it through Javascript?
Hello @lmlvespa1234, you will have to clear the authentication session cookie and redirect to the IdP logout endpoint from your back end application (we tried it with front end javascript and it didn't work).
@@ThornTechnologies Got it. Auth Session id is a Http Cookie so can't delete it from Javascript. Did it from backend and it worked. Thanks for your help
@@lmlvespa1234 Hello, could you please give me an idea who you did it from the backend ?
How we do request a rest endpoint? Any alternative for rest api?
Hi Erdinç Özden, could you please provide a bit more information about what you are trying to do?
Hi @@ekaterir , I have a swagger api and I want to request with curl or postman? But I don't know how to access access_token.
@@erdincozden Check out this documentation: docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
How would we logout from that page????
There are two steps for the logout:
1. Set the expiration time of the authentication session cookie to -1 (this is done server side);
2. Redirect the client to the IdP logout endpoint (35:26).
I am getting redirect_mismatch error.
Can you please help me.
Hello! Are you getting this error when trying to log in?
The problem is most likely in the callback URL (18m40s). The callback URL has the following structure: DNS/oauth2/idpresponse where DNS is the domain name of your application load balancer.
You will also need to make sure that under the Allowed OAuth Flows, the Authorization code grant is checked along with the openid scope.
Let us know if you are still having issues with this error.
@@ThornTechnologies Actually I got it right after that. I am using a custom domain name to pass the request through the LB, so call back should use the custom domain name instead of the LB DNS name. Any how thanks for the reply.
I have got another concern there is a optional parameter option, as key value pair, while creating authentication in the rules for listeners, what is the use of that option?
That option is probably for tagging your resources and managing them later.
WARNING: if you enabled required attributes you can't later change your mind. If you are already in production then bad luck... you will have to learn about migration lambda functions. It's not fun just to disable require phone_number. If you plan to you sign in with Facebook do NOT enable require phone_number,
Once authenticating I am getting: "RedirectUri is not registered with the client" any idea what might be missing ?
The problem might be the callback url in the user pool's app client settings. Take a look at 18m40s in the video. The callback URL has the following structure: DNS/oauth2/idpresponse where DNS is the domain name of your application load balancer. Note that https is required. After a successful sign-in, the user will be redirected to that url. Let us know if you are still having errors.
@@ThornTechnologies Still Facing the issue. Have checked the callback URL and it has the complete path including /outh2/idpresponse What else can be the issue?
@@ansh1ta Before we research some more on the topic, could you please double check that your callback URL has oauth2 instead of outh2.