00:00:00
Problem: You have a web app with an administration page that should be restricted to internal users.
Here's some of the options that would solve this:
- Program authentication into your app, which would be different from your main user login as it's targeted to internal users and not your customers.
- Deploy the app privately (like an internal load balancer) and require VPN access
- Use some third-party service like Cloudflare Access.
We would like to propose a solution that could be implemented very quickly if you already using AWS Application Load Balancer (ALB).
00:01:00
This example we will authenticate internal users in Google Workspace, but this works with any Identity Provider that supports OIDC/OAuth2.
Go to your Google Cloud Console (linked to your Google Workspace account) as Admin and under "APIs & Services", create a new OAuth2 Client, as shown below:
More details here: https://support.google.com/cloud/answer/6158849?hl=en
In "Authorized JavaScript origins", enter the main URL of your web application (without the /admin path). And in "Authorized redirect URIs" enter the same as before, but adding oauth2/idpresponse to the path.
After creation, copy the Client ID and Client Secret generated to a secure location.
Also make sure your Google project's OAuth Consent is set to Internal, if you want to authenticate only internal users. If your goal is to authenticate anyone with a Google Account, you can leave it External.
00:03:00
Login to your AWS Console, under EC2 select Load Balancers, choose your load balance and edit the Listener Rules, as shown below:
Click the "+" icon to add a new rule.
Click "Insert rule" above the normal URL for your web app (which could be the default action).
In the left side, enter the conditions for the rule. As this example is for path-based, we will enter all paths we want to protect with an OAuth login screen:
Enter all paths ending with a * (remove the trailing slash from the path).
In the right side, enter Add Action > Authenticate, and select OIDC.
And setup Google Workspace OIDC with the following parameters:
| Name | Value |
|---|---|
| Issuer | https://accounts.google.com |
| Authorization endpoint | https://accounts.google.com/o/oauth2/v2/auth |
| Token endpoint | https://oauth2.googleapis.com/token |
| User info endpoint | https://openidconnect.googleapis.com/v1/userinfo |
And under Advanced Settings, set the Session Timeout to a small value, like 43200 (12 hours), otherwise the authentication will last for 7 days by default.
Just below the OIDC action, you now have to add the Forward action to reach your web app.
Copy the same action as the rule used at the moment to reach your web app. In this example, we were using a Default Action, Forwarding to a Target Group called "Laravel", so we will mimic this action into our OIDC rule, as shown below:
Click on the Save button above to save the new rule.
00:05:00
That's it, now access your web app under the URL protected and you should be redirected to a Google authentication page.
After authenticated, ALB will add a cookie that lasts for 12 hours (or the Session Timeout set before).
If you like this post, you will love our 100+ open source repositories with moslty Terraform modules that help you achieve stuff like this.
Check out our repos at https://github.com/DNXLabs, specially https://github.com/DNXLabs/terraform-aws-ecs-app that comes with this feature built in.
Top comments (2)
Super useful! Thank you.
This is great, How can we implement Programatic API authentication with this approch?