AWS Application Loadbalancer and Cognito user pools, redirect_mismatch

Question

I have a traditional web app (as in a hobby project I made 15 years ago) that I am moving to AWS. It is deployed in ECS with Fargate, behind an Application Loadbalancer. Now, I want to add authentication with FB and Google. I have managed to configure both FB and Google so that I get authenticated, but I am having troubles with the authenticate rule in ALB. At the end of a successful authentication, I get "redirect_mismatch". If I try to set my redirect_uri to an external site (such as www.google.com) and add that site to my whitelist, it works fine. As far as I can see, there are no typos.

Attempting to browse to https://myapp.domain.se/ will redirect to the login flow, and when done land in a redirect_mismatch error. https://myapp.auth.eu-west-1.amazoncognito.com/login?response_type=code&client_id=2b88s...&redirect_uri=https://www.google.com otoh works fine.

What am I missing. How can I get a more verbose error message?

Answer 1

The callback URL values are a bit complicated and not intuitive without reading the documentation for Application Load Balancer use case.

The short version is that you will need to add three values to your callback urls:

1. https://{your-load-balancer-domain}/oauth2/idpresponse
2. https://myapp.domain.se/oauth2/idpresponse <-- your application
3. https://myapp.auth.eu-west-1.amazoncognito.com/saml2/idpresponse

See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html