Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AWS Load Balancer Auth

See original GitHub issue

AWS recently added the functionality to authenticate a user on the load balancer and have a authenticated and hydrated user details in the request header.

I wasn’t able to decode the object that comes from the load balancer even though it will decode on jwt.io. The example AWS give is in python but should be straight forward enough to decode the token.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Has anyone attempted to decode the x-amzn-oidc-data header using jwt.decode?

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:12 (4 by maintainers)

Top GitHub Comments

15reactions

morganabelcommented, Feb 6, 2019

@daerion I found a way to make this work, but it’s not pretty…

Basically, the verify method in this library won’t work, but the signature can be verified using the underlying node-jwa library. Then you just have to check things like is the token still valid (I am only checking if token is not expired):

const base64Url = require("base64url");
const jwt = require("jsonwebtoken");
const jws = require("jws");
const fetch = require("node-fetch").default;

async function verifyToken(token) {
  var base64UrlToken = base64Url.fromBase64(token);
  const decoded = jwt.decode(base64UrlToken, { complete: true });

  const { kid, signer } = decoded.header;
  const region = signer.split(":")[3];

  const uri = `https://public-keys.auth.elb.${region}.amazonaws.com/${kid}`;

  console.log(`Fetching key at: ${uri}`);

  const response = await fetch(uri);
  const key = await response.text();

  console.log(key);

  try {
    const verify = jws.verify(token, "ES256", key);
    if (!verify) {
      return null;
    }

    var clockTimestamp = Math.floor(Date.now() / 1000);
    if (clockTimestamp >= decoded.header.exp) {
      // Token expired.
      return null;
    }
  } catch (err) {
    console.error(err);
    throw err;
  }

  return decoded.payload;
}

0reactions

trallnagcommented, Jul 6, 2021

Just ran into the same issue…

Top Results From Across the Web

Authenticate users using an Application Load Balancer

The Application Load Balancer redirects the user with the AWSELB authentication session cookie to the original URI. Because most browsers limit the cookie...

Simplify Login with Application Load Balancer Built- ... - AWS

Today I'm excited to announce built-in authentication support in Application Load Balancers (ALB). ALB can now securely authenticate users ...

How to use Application Load Balancer and Amazon ...

How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps · Authentication using Application ...

Set Up Application Load Balancer Authentication Using ...

With Application Load Balancer authentication, the Application Load Balancer either confirms that the client is authenticated or prompts the ...

AuthenticateOidcActionConfig - Elastic Load Balancing

Request parameters when using an identity provider (IdP) that is compliant with OpenID Connect (OIDC) to authenticate users.