This site has the 'Authenticate' action on every rule with the 'allow' setting for unauthenticated requests. This means every request that is authenticated will include the information of that user from the OIDC provider. It has a rule for the path '/auth' with 'Authenticate' on it and 'authenticate' as the action for unauthenticated users. The server code is a simple application which looks for the 'X-Amzn-Oidc-Data' HTTP header, which is included by the ALB. It extracts that info, verifies the signature, and includes it in response processing. This site doesn't do anything beyond check if you're logged in or not and then display the keys and their values contained in the data.