1

I am trying to setup Authentication for some certain routes using AWS internet-facing Application load balancer.

I've done all the steps from the official AWS documentation, and also using this one: https://www.thorntech.com/2018/09/user-authentication-alb-cognito/

I was testing via load balancer's DNS name, and it redirects me properly to the login form of Cognito, but after I am logged in it redirects to the load balancer, and it gives 500 Internal Server Error. URL is like so https://xxxxx.eu-west-1.elb.amazonaws.com/oauth2/idpresponse?code=.......

Do you know, which can be the causes of it, and what should I configure else to make it working?

openid is allowed

Georgij
  • 535
  • 1
  • 7
  • 17

1 Answers1

2

To answer my own question - the problem is with the security groups. You have to have a security group with the open port 443 on your load balancer!

Georgij
  • 535
  • 1
  • 7
  • 17
  • Can you elaborate please? To/from, etc. The default rules on an ALB sitting in public subnets is to allow inbound 80/443 from 0.0.0.0. No outbound restrictions. What rules did you add aside from these? – ab77 Jan 31 '19 at 19:59
  • Yes, so ALB needs to be in the public subnet, but the _inbound_ rules are set in te security group, and should allow 80/443. Not sure about the 0.0.0.0, but it should do. Does the traffic go through 443 for you? – Georgij Feb 02 '19 at 16:04
  • 2
    Fir posterity: our ALB was configured with incorrect "email" scope. Changing scope to "openid" on the ALB HTTPS listener rule, fixed our issue. – ab77 Feb 05 '19 at 15:47