Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

As a client app, how do I get the 'x-amzn-oidc-*' headers forwaded to me from Amazon Load Balancers (ALB)?

I'm planning on setting up ALB (Amazon Load Balancer) for authentication. It'll sit in front of my client app and only forward authenticated requests with the access_token and user claim jwt's as headers, x-amzn-oidc-accesstoken + x-amzn-oidc-data respectively [0].

My client application will need to capture these forwarded headers and store them in localStorage for accessing other AWS resources in later requests (ex. S3).

If I'm the client app receiving the ALB request, how would I intercept these headers? Would they come in as a request or response?

[0] See step #10 in the diagram: https://www.exampleloadbalancer.com/auth_detail.html

like image 390
tbd_ Avatar asked Aug 19 '20 22:08

tbd_


People also ask

Does ELB support X-Forwarded-For?

Source Address Preservation – With Network Load Balancer, the original source IP address and source ports for the incoming connections remain unmodified, so application software need not support X-Forwarded-For, proxy protocol, or other workarounds.

What is X AMZN OIDC?

x-amzn-oidc-data. The user claims, in JSON web tokens (JWT) format. Access tokens and user claims are different from ID tokens. Access tokens and user claims only allow access to server resources, while ID tokens carry additional information to authenticate a user.

What is X-Forwarded-For in AWS?

The X-Forwarded-For request header helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs only contain the IP address of the load balancer.

Can AWS ALB add custom header?

As far as I know there is no way to set custom headers at the ALB level. You can however add CloudFront as a CDN in front of it, that allows you to set custom headers, which will then be passed on to the ALB.


1 Answers

These headers wouldn't be received by your client by default. The client makes a request to the ALB and, after the user is authenticated, the ALB would pass the headers to your backend.

If the client needs these headers, your backend could add them to the response headers and your client could then retrieve them there.

That being said, keep in mind that if you do return these headers to the client, that anyone using some simple browser debug tools can see the headers and then craft their own requests using them. It may be better add the functionality that you need to the backend so that no credentials are potentially exposed to users.

like image 93
JD D Avatar answered Oct 28 '22 08:10

JD D