How to use a Cognito supplied `access_token` on an ALB HTTPS endpoint?

Question

I want my script to make an HTTPS request on an AWS ALB which uses Cognito.

The Cognito user pool has an App Client that uses Client Credential OAuth Flow.

I have set up a proof-of-concept which appears to allow me to do the following:

curl -X POST \
  https://mydomain.auth.eu-west-1.amazoncognito.com/oauth2/token  \
  -H 'authorization: Basic <mybase64encodedstring>' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'grant_type=client_credentials&scope=myscope'

and I receive the following response ...

{"access_token":"<a base64 encoded JWT token>","expires_in":3600,"token_type":"Bearer"}

I would now like to make a HTTPS request on the application that is behind the load balancer.

ALBs do not appear to integrate with App Clients that use Client Credentials OAuth flows.

Can I make my request via the ALB and expect the request to denied if the token is invalid, and passed through to the backend application if the token is valid?

Answer 1

Can I make my request via the ALB and expect the request to denied if the token is invalid

ALB is just a load balancer. It performs no payload validation.

I would now like to make a HTTPS request on the application that is behind the load balancer.

What you can use is an API Gateway with an authorizer.

The API Gateway can have an HTTP backend exposed by the ALB. In this configuration the API Gateway can validate and enforce valid JWT access token. See https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html