Authentication on

Application Load Balancer

ALB Auth

This site has the 'Authenticate' action on every rule with the 'allow' setting for unauthenticated requests. This means every request that is authenticated will include the information of that user from the OIDC provider. It has a rule for the path '/auth' with 'Authenticate' on it and 'authenticate' as the action for unauthenticated users. The server code is a simple application which looks for the 'X-Amzn-Oidc-Data' HTTP header, which is included by the ALB. It extracts that info, verifies the signature, and includes it in response processing. This site doesn't do anything beyond check if you're logged in or not and then display the keys and their values contained in the data.

UnAuthentication Action

ALB Authentication Workflow for OIDC IdPs:

  1. User sends HTTP request to a website hosted behind Auth enabled ALB
  2. ALB checks for session cookie and redirects the user to IdP if session cookie is missing
  3. After authenticating with IdP, user returns to ALB with Authentication code
  4. ALB authenticates the code with IdP and receives Id Token and Access token
  5. ALB exchanges access token for user info (claims) with IdP
  6. ALB signs the user info claims and sends to backends over HTTP headers
  7. ALB adds a session cookie on the response to users
  8. User sends HTTP requests with a session cookie and ALB directly forwards the requests to backends with user claims


We also have cats


Blog Post

Read the Blog Post from the launch of Authentication on Application Load Balancer