Menu
I'm planning on setting up ALB (Amazon Load Balancer) for authentication. It'll sit in front of my client app and only forward authenticated requests with the access_token and user claim jwt's as headers, x-amzn-oidc-accesstoken + x-amzn-oidc-data respectively [0].
My client application will need to capture these forwarded headers and store them in localStorage for accessing other AWS resources in later requests (ex. S3).
If I'm the client app receiving the ALB request, how would I intercept these headers? Would they come in as a request or response?
[0] See step #10 in the diagram: https://www.exampleloadbalancer.com/auth_detail.html
390
Source Address Preservation – With Network Load Balancer, the original source IP address and source ports for the incoming connections remain unmodified, so application software need not support X-Forwarded-For, proxy protocol, or other workarounds.
x-amzn-oidc-data. The user claims, in JSON web tokens (JWT) format. Access tokens and user claims are different from ID tokens. Access tokens and user claims only allow access to server resources, while ID tokens carry additional information to authenticate a user.
The X-Forwarded-For request header helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs only contain the IP address of the load balancer.
As far as I know there is no way to set custom headers at the ALB level. You can however add CloudFront as a CDN in front of it, that allows you to set custom headers, which will then be passed on to the ALB.
These headers wouldn't be received by your client by default. The client makes a request to the ALB and, after the user is authenticated, the ALB would pass the headers to your backend.
If the client needs these headers, your backend could add them to the response headers and your client could then retrieve them there.
That being said, keep in mind that if you do return these headers to the client, that anyone using some simple browser debug tools can see the headers and then craft their own requests using them. It may be better add the functionality that you need to the backend so that no credentials are potentially exposed to users.
93
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
