DEV Community

Allan Denot for DNX Labs

Posted on

Protecting URLs with AWS ALBs and OIDC in 6 minutes

00:00:00

Problem: You have a web app with an administration page that should be restricted to internal users.

Here's some of the options that would solve this:

  1. Program authentication into your app, which would be different from your main user login as it's targeted to internal users and not your customers.
  2. Deploy the app privately (like an internal load balancer) and require VPN access
  3. Use some third-party service like Cloudflare Access.

We would like to propose a solution that could be implemented very quickly if you already using AWS Application Load Balancer (ALB).

00:01:00

This example we will authenticate internal users in Google Workspace, but this works with any Identity Provider that supports OIDC/OAuth2.

Go to your Google Cloud Console (linked to your Google Workspace account) as Admin and under "APIs & Services", create a new OAuth2 Client, as shown below:

Google Cloud creating OAuth client

More details here: https://support.google.com/cloud/answer/6158849?hl=en

Google Cloud Setup OAuth client URLs

In "Authorized JavaScript origins", enter the main URL of your web application (without the /admin path). And in "Authorized redirect URIs" enter the same as before, but adding oauth2/idpresponse to the path.

After creation, copy the Client ID and Client Secret generated to a secure location.

Also make sure your Google project's OAuth Consent is set to Internal, if you want to authenticate only internal users. If your goal is to authenticate anyone with a Google Account, you can leave it External.

Google Cloud OAuth consent screen

00:03:00

Login to your AWS Console, under EC2 select Load Balancers, choose your load balance and edit the Listener Rules, as shown below:

AWS Console edit ALBs Listener Rules

Click the "+" icon to add a new rule.

Click "Insert rule" above the normal URL for your web app (which could be the default action).

In the left side, enter the conditions for the rule. As this example is for path-based, we will enter all paths we want to protect with an OAuth login screen:

AWS ALB rule condition

Enter all paths ending with a * (remove the trailing slash from the path).

In the right side, enter Add Action > Authenticate, and select OIDC.

AWS ALB rule action

And setup Google Workspace OIDC with the following parameters:

Name Value
Issuer https://accounts.google.com
Authorization endpoint https://accounts.google.com/o/oauth2/v2/auth
Token endpoint https://oauth2.googleapis.com/token
User info endpoint https://openidconnect.googleapis.com/v1/userinfo

And under Advanced Settings, set the Session Timeout to a small value, like 43200 (12 hours), otherwise the authentication will last for 7 days by default.

AWS ALB OIDC action

Just below the OIDC action, you now have to add the Forward action to reach your web app.

Copy the same action as the rule used at the moment to reach your web app. In this example, we were using a Default Action, Forwarding to a Target Group called "Laravel", so we will mimic this action into our OIDC rule, as shown below:

AWS ALB rule action

Click on the Save button above to save the new rule.

00:05:00

That's it, now access your web app under the URL protected and you should be redirected to a Google authentication page.

After authenticated, ALB will add a cookie that lasts for 12 hours (or the Session Timeout set before).

If you like this post, you will love our 100+ open source repositories with moslty Terraform modules that help you achieve stuff like this.

Check out our repos at https://github.com/DNXLabs, specially https://github.com/DNXLabs/terraform-aws-ecs-app that comes with this feature built in.

Top comments (2)

Collapse
 
elgordino profile image
Gordon Johnston

Super useful! Thank you.

Collapse
 
mino profile image
minoblue

This is great, How can we implement Programatic API authentication with this approch?