Search code examples
amazon-web-servicesamazon-cognitoopenid-connectaws-application-load-balancer

Why do I not get an authorization code from Cognito on successful ALB authentication?

I currently

  • use an AWS ALB to handle incoming traffic to my application
  • have Cognito set up to handle login auth at the ALB level, with federated Okta login
  • have response type code set
  • am able to login and get redirected to my app accordingly

However, when I'm redirected, there is no ?code query parameter in the redirected url.

I need the auth code so that I can exchange it for a token and authenticate users in my .NET application using the claims values obtained after decoding an access token.

Solution

  • However, when I'm redirected, there is no ?code query parameter in the redirected url.

    You won't receive an authorisation code when redirected back to your application.

    The whole purpose of ALB authentication is that you offload authentication to the ALB. In the background, it gets an auth code, sends it to the IdP token endpoint & processes the tokens received - for you. You don't do anything in your application.

    On successful auth, it utilises cookie-based authentication via a secure cookie called AWSELBAuthSessionCookie to authenticate your web app with the ALB, with your browser providing the cookie automatically on each request.

    That completely covers your app's authentication with the ALB (i.e. there's no Authorization header needed here or for you to do anything in your application).

    For access to the access token & user information, you will need to use the below HTTP headers added automatically by the ALB:

    • x-amzn-oidc-accesstoken: access token from the IdP token endpoint, in plain text

    • x-amzn-oidc-identity: subject claim (sub) from the IdP user info endpoint, in plain text

    • x-amzn-oidc-data: user claims from the IdP user info endpoint (should be identical to the claims that would exist in the ID token - AWS does not provide you with the raw ID token)

    You can decode and verify the access token JWT using typical validation methods i.e. such as verifying the signature and claims such as the issuer (iss), audience (aud) and expiration (exp). This will depend on your IdP configuration.

    You can also do the same for the user claims JWT i.e. verifying the signature and other claims. Note this JWT is created and signed by Cognito with the payload set to the user claims; it is not the ID token provided by Okta. For example, don't try to verify this JWT using Okta-provided key(s) as it won't work - use the Cognito-provided key(s).