How do I troubleshoot issues configuring authentication in my Application Load Balancer?
I receive an error when I configure authentication in my Application Load Balancer.
Resolution
Misconfigurations with the identity provider (IdP) or Application Load Balancer can cause errors when configuring authentication for the Application Load Balancer. Follow these steps to troubleshoot authentication errors.
redirect_mismatch
If you're using Amazon Cognito, then set the callback URL to https://<domain>/oauth2/idpresponse. If you're using a different IdP, then set the redirect URI to https://<domain>/oauth2/idpresponse.
Note: Replace <domain> with the domain used to access the Application Load Balancer.
HTTP 401: Unauthorized
Configure the following identically on your Application Load Balancer and IdP:
- Issuer
- Authorization endpoint
- Token endpoint
- Client ID/Client Secret
Also, set Action on unauthenticated request to either Allow or Authenticate (client reattempt), based on your use case.
HTTP 500: Internal Server Error
Complete the following steps if you receive an "HTTP 500: Internal Server Error" error:
- Add an outbound rule to allow traffic to the IdP endpoints over HTTPS (port 443).
- Configure the network access control list rules on each Application Load Balancer subnet to allow traffic to and from the IdP endpoints.
For egress rules, specify: Destination IP - Identity provider, Destination port -443 Allow.
For ingress rules, specify: Source IP - Identity provider, Destination port 1024-65535 Allow. - Configure the route table to include a route for the Application Load Balancer to access the IdP endpoints.
For public Application Load Balancers and public endpoints, configure an internet gateway route for the route table.
For private Application Load Balancers and private endpoints, configure a network address translation (NAT) gateway for the route table. Or, configure a NAT instance route for the IdP.
For other scenarios, configure the route tables of the Application Load Balancer subnets with appropriate route entry to route connectivity to the IdP endpoints. - Select a valid OAuth2 Grant type. Application Load Balancers support the Authorization code grant to obtain an access token. If an incorrect grant is configured at the IdP, then the Application Load Balancer generates an error.
Additional HTTP error codes
For troubleshooting additional HTTP error codes generated by Application Load Balancers, see The load balancer generates an HTTP error.
Related information
Simplify login with Application Load Balancer built-in authentication
In some cases, the user may encounter an error at the IdP, and be redirected to the ALB with the "error" and "error_description" parameters rather than the "code" parameter, per RFC 6749.
Is there any way to configure the ALB to do one of the following:
- Render the error to the user
- Forward the request to a Lambda
- Redirect the request to another (unauthenticated) endpoint
Any of these would be much more valuable than displaying the generic "401 Unauthenticated" response to unsuspecting users.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
