Open in app

Sign in

Write

Sign in

AWS ALB Authentication with OKTA OIDC using Terraform

Marcin Cuber
4 min readApr 24, 2020

--

Configuration of AWS Application Load Balancer Authentication with OKTA OIDC. Templating AWS resources using Terraform.

Introduction

For a while AWS Application Load Balancers (ALB) had a built-in authentication support. They can securely authenticate users as they access applications, letting developers eliminate the code they have to write to support authentication and offload the responsibility of authentication from the backend.

The following use cases are supported:

  • Authenticate users through an identity provider (IdP) that is OpenID Connect (OIDC) compliant, I use OKTA for that purpose.
  • Authenticate users through well-known social IdPs, such as Amazon, Facebook, or Google, through the user pools supported by Amazon Cognito.
  • Authenticate users through corporate identities, using SAML, LDAP, or Microsoft AD, through the user pools supported by Amazon Cognito.

Advantages of using Authentication:

  • Authentication verifies identity.
  • Authorisation verifies permissions, the things an identity is allowed to do.
  • OpenID Connect (OIDC) is a simple identity, or authentication, layer built on top on top of the OAuth 2.0 protocol.
  • Identity Providers (IdPs) manage identity information and provide authentication services. ALB supports any OIDC compliant IdP.

Implementation Requirements

Recently I had to re-write application infrastructure so that all service EC2 instances are behind Load Balancer. Additionally, I had to ensure that there is authentication aspect where only authorised people can access it. For that reason I have used OKTA which we already use for single sign-on.

Details- Okta

Note that, for this setup I am using my personal developer okta account.

Create an OpenID application:

Your general settings after saving should look like:

and of course credentials (the ones in the screenshot are only for demonstration):

Don’t forget to assign users/groups to your application:

Finally you require authorisation servers feature:

From there you can select the default server:

Summary

You are going to have following endpoints:

Server details:

Issuer Endpoint (Authorisation server)-> https://dev-512482.okta.com/oauth2/default
Authorisation Endpoint-> https://dev-512482.okta.com/oauth2/default/v1/authorize
Token Endpoint ->https://dev-512482.okta.com/oauth2/default/v1/token
User Info Endpoint ->https://dev-512482.okta.com/oauth2/default/v1/userinfo

Application details:

Client ID-> 0oa3oim3c2usVmWet357

Client Secret -> 6P2n1QXIoZ02Hg5vJEWTiZ6dhmDb1P4tU4d6kfyT

Application Load Balancer configuration

Assuming your load balancer and related resources are correctly configured. You can now use terraform to deploy your listener settings. Crucial settings are in default_action block with type authenticate-oidc.

resource "aws_lb_listener" "alb_443" {
  load_balancer_arn = module.alb.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
  certificate_arn   = var.alb_certificate_arndefault_action {
    type = "authenticate-oidc"authenticate_oidc {
      authorization_endpoint = "https://dev-512482.okta.com/oauth2/default/v1/authorize"
      client_id              = "0oa3oim3c2usVmWet357"
      client_secret          = "6P2n1QXIoZ02Hg5vJEWTiZ6dhmDb1P4tU4d6kfyT"
      issuer                 = "https://dev-512482.okta.com/oauth2/default"
      token_endpoint         = "https://dev-512482.okta.com/oauth2/default/v1/token"
      user_info_endpoint     = "https://dev-512482.okta.com/oauth2/default/v1/userinfo"session_cookie_name        = "AWSELBAuthSessionCookie"
      session_timeout            = "300"
      scope                      = "openid profile"
      on_unauthenticated_request = "authenticate"
    }
  }default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.tg.arn
  }
}

The above configuration will return the following view (Alb name or target group is not important here):

Settings configured by the terraform:

Conclusion

This is the full setup for Application Load Balancer to use Okta authentication application + authorisation server. The setup works very well and I have not hit any issues.

Note that for this integration you require to purchase “API Access Management” in Okta, this is the option which activates authorisation servers.

I hope this guide will help you guys! Farewell :)

Sponsor Me

Sponsor @marcincuber on GitHub Sponsors

Hi guys, I am Marcin and I am Technical Lead specialising in the field of DevOps. I am also a certified AWS Solutions…

github.com

Like with any other story on Medium written by me, I performed the tasks documented. This is my own research and issues I have encountered.

Thanks for reading everybody. Marcin Cuber

Okta
AWS
Alb
Terraform

--

--

Marcin Cuber

Written by Marcin Cuber

4.4K Followers

Principal Cloud Engineer, AWS Community Builder and Solutions Architect

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams