How do I troubleshoot issues configuring authentication in my Application Load Balancer?

Last updated: 2019-10-22

I receive an error when I try to configure authentication in my Application Load Balancer. How do I troubleshoot these authentication issues?

Resolution

While setting up the authentication feature in your Application Load Balancer, misconfigurations in the identity provider (IdP) or Application Load Balancer might cause errors. Follow the steps below to troubleshoot and resolve these common authentication issues.

redirect_mismatch

Verify that you've set the callback URL (Amazon Cognito) or the redirect URI (any other IdP) to https://<domain used to access Application Load Balancer>/oauth2/idpresponse.

HTTP 401: Unauthorized

  • Verify that the following values are identically configured on your Application Load Balancer and IdP:
    Issuer
    Authorization endpoint
    Token endpoint
    Client ID/Client Secret
  • Verify that you've set Action on unauthenticated request to either Allow or Authenticate (client reattempt), depending on your use case.

HTTP 500: Internal Server Error

  • Add an outbound rule to allow traffic to the IdP endpoints over HTTPS (port 443).
  • Verify that the network access control list rules on each of the Application Load Balancer subnets allow traffic to and from the IdP endpoints. For egress rules, specify: Destination IP - Identity provider, Destination port -443 Allow. For ingress rules, specify: Source IP - Identity provider, Destination port 1024-65535 Allow.
  • Verify that route tables include a route for the Application Load Balancer to access the IdP endpoints. For public Application Load Balancers and public endpoints, verify that the route table has an internet gateway route. For private Application Load Balancers and private endpoints, verify that the route table has a network address translation (NAT) gateway or NAT instance route for the IdP. For other scenarios, verify that the route tables of the Application Load Balancer subnets have appropriate route entry to route connectivity to the IdP endpoints.
  • Verify that a valid OAuth2 Grant type is selected. Application Load Balancers support the Authorization code grant to obtain an access token. If an incorrect grant is configured at the IdP, the Application Load Balancer generates an error.

Additional HTTP error codes

Review these instructions to resolve additional HTTP error codes generated by Application Load Balancers.