How can I set up Application Load Balancer authentication using Facebook and Amazon Cognito as identity providers?

Last updated: 2020-05-26

How can I set up Application Load Balancer authentication using Facebook and Amazon Cognito as identity providers (IdPs)?

Short Description

With Application Load Balancer authentication, the Application Load Balancer confirms that the client is authenticated, or prompts the client to authenticate. The backend target is responsible only for running other business logic or services, such as user profile and payments. The Application Load Balancer is the gatekeeper for denying and allowing client access. However, because Application Load Balancers don't store client login credentials, you can configure Amazon Cognito and Facebook to manage and authenticate users.

Resolution

Set up the Facebook application

  1. Go to Facebook for Developers on the Facebook site.
  2. On the top right, choose My Apps, and then choose Add New App.
  3. Specify a Display name, and then choose Create App ID.
  4. Choose Facebook Login.
  5. Choose Web (www).
  6. Specify the domain name of the site. This domain name is the same as what you use to alias to the Application Load Balancer's DNS.
  7. Choose Next.
  8. Skip the JavaScript SDK, and then choose Next.
  9. Choose Next.

When you get to step 5 in the wizard, continue to set up Amazon Cognito. There's one final step to setting up the Facebook application (URI Redirect whitelist), but you must set up Amazon Cognito first.

Set up the Application Load Balancer for authentication, and then set up Amazon Cognito as an IdP/IdP aggregator

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. Create an Application Load Balancer.
  3. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
  4. Select the Application Load Balancer that you created in step 2.
  5. Choose ListenersAdd listener.
  6. Choose HTTPS:443 (or any port with the HTTPS protocol).
  7. For Action, choose Authenticate.
  8. Keep the Amazon Cognito selection.
  9. For Cognito user pool, choose Create new.
  10. For Social IDP, choose Facebook.
  11. Go to Facebook for Developers on the Facebook site.
  12. Select the application that you created in the Set up the Facebook application section of this procedure.
  13. Choose Settings, and then choose Basic.
  14. Copy the App ID.
  15. Choose Show, and then enter your Facebook password to select App Secret.
  16. Return to the Amazon Cognito setup page in the Amazon EC2 console. Then, paste the App ID and enter the App Secret.
  17. For Authorize scope, enter public_profile.
  18. Under Domain prefix, choose a unique name to append to the Amazon Cognito regional DNS service. For example, if you specify "abc" as your domain prefix, your fully qualified domain name (FQDN) is https://abc.auth.us-east-2.amazoncognito.com/.
  19. Choose Create Cognito User pool.
  20. Copy the domain name you specified in step 18.
  21. Add another rule to your HTTPS listener. Choose Forward to: and then specify the target group name of your Application Load Balancer.
  22. Choose Save.

Finish setting up the Facebook application

  1. Open the Facebook application.
  2. Choose Facebook Login, and then choose Settings.
  3. For Valid OAuth Redirect URIs, paste the Amazon Cognito FQDN and add a suffix of /oauth2/idpresponse. For example, https://abc.auth.eu-west-1.amazoncognito.com/oauth2/idpresponse.
  4. Choose Save changes.
  5. Choose SettingsBasicsApp domains.
  6. Add the domain name that points to your Application Load Balancer.
  7. Choose Save changes.

Finish setting up Amazon Cognito

  1. Open the Amazon Cognito console.
  2. Choose your configured user pool.
  3. Choose App client settings.
  4. For Callback URL(s), specify the domain name that you have created an alias record in Route53 pointing to the Application Load Balancer and add the /oauth2/idpresponse suffix. For example, https://myinstanceweb.info/oauth2/idpresponse.

Important: Facebook is a third-party application, which means that the configuration steps above might change over time. For the latest updates, refer to Facebook's documentation on the Facebook site.