5

I have done following configurations

  1. Created loadbalancer
  2. Created user pool
  3. created client with secret and enabled authorization code grant and openid scope

Configured authentication in loadbalancer with above created resource details

  1. Created a listener rule with cognito authentication
  2. Added needed configuration including scope as openid
  3. Configured deny for unauthenticated requests

Problem is when I call the loadbalancer url with the id token or access token(as cookies) that is retrieved from another app client configured to application, The loadbalancer is returning 401

When I try the the configuration authenticate for unauthenticated request. I was able to successfully call the loadbalancer url where I am getting success response(loadbalancer will redirect to cognito login and after successfull login, loadbalancer will set the cookies).

The cookie that being set in the success scenario is being sharded

The cookie entry were like cookie_name-0 and cookie_name-1 (Which I do not know how to reproduce/recreate manually)

The below excerpt from aws docs confirms above sharding behaviour

The load balancer creates the authentication session cookie and sends it to the client so that the client's user agent can send the cookie to the load balancer when making requests. Because most browsers limit a cookie to 4K in size, the load balancer shards a cookie that is greater than 4K in size into multiple cookies. If the total size of the user claims and access token received from the IdP is greater than 11K bytes in size, the load balancer returns an HTTP 500 error to the client and increments the ELBAuthUserClaimsSizeExceeded metric.

  1. How can I successfully call the loadbalancer url with the configuration for unauthenticated request as deny where I need to set the cookie manually?
  2. Manually generated id token/ access token length are around 1k in size, why the loadbalancer retrieved token exceeds 4k in size?

Reference - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-flow

https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/

Vinujan.S
  • 1,199
  • 14
  • 27

1 Answers1

10

I think what you're trying to do is this: you're getting JWT tokens from cognito, and you want to use them to authenticate a web request through ALB that is using cognito authentication checks. Which is to say you're trying to find some way to generate the AWSELBAuthSessionCookie cookies yourself, or craft a call to /oauth2/idpresponse so that the ALB sets these cookies.

Short answer: You can't as of June 2021.

Here's the answer I got from AWS support on this issue, where I'm trying to get a python client to call through ALB with cognito JWT tokens:

As per the design, automated clients ( such as your python script ) will not be in position to utilize this ALB functionality. Further ALB will not accept any JWT tokens passed by clients in the request. This is to prevent any kind of replay attacks while communicating with load balancer. ALB will only initiate the authentication process if client request triggers authentication rule.

Seems the only way to get those ALB cookies set is by having a web browser open the auth page. Sorry. Cognito sucks. Open standards my ____.

Leopd
  • 41,333
  • 31
  • 129
  • 167