Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

High-level support for AWS::ElasticLoadBalancingV2::Listener AuthenticateOidcConfig #6308

Closed
2 tasks
lanwen opened this issue Feb 17, 2020 · 2 comments · Fixed by #7741
Closed
2 tasks

High-level support for AWS::ElasticLoadBalancingV2::Listener AuthenticateOidcConfig #6308

lanwen opened this issue Feb 17, 2020 · 2 comments · Fixed by #7741
Assignees
Labels
@aws-cdk/aws-elasticloadbalancing effort/medium feature-request

Comments

@lanwen
Copy link
Contributor

@lanwen lanwen commented Feb 17, 2020

Currently there is no obvious way other than low-level resources to get https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

To integrate it with the existing listeners, I have to do something like this:

 const listener = elbv2.ApplicationListener.fromApplicationListenerAttributes(this, "InternalVPCListener", { 
            listenerArn: "arn:aws:elasticloadbalancing:..:listener/app/lsdksjfdsf-21IW/9a3d8768a479f7f6/c99babbc37014371",
            securityGroupId: "sg-07a315ff"
        });

        const rule = new elbv2.ApplicationListenerRule(this, "ListenerRule", {
            priority: 5,
            listener: listener,
            hostHeader: 'host.example.com',
        });

        rule.actions[0].order = 2;
        rule.node.defaultChild.actions = cdk.Lazy.anyValue({
            produce: () => [{
                authenticateOidcConfig: {
                    authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
                    clientId: "1",
                    clientSecret: "2",
                    issuer: "https://accounts.google.com",
                    tokenEndpoint: "https://oauth2.googleapis.com/token",
                    userInfoEndpoint: "https://openidconnect.googleapis.com/v1/userinfo"
                },
                type: "authenticate-oidc",
                order: 1
            }, ...rule.actions]
        });

Use Case

Usecase I faced - is to authenticate some target behind ALB like described in the article
https://cloudonaut.io/how-to-secure-your-devops-tools-with-alb-authentication/?ck_subscriber_id=640789667

Proposed Solution

Would be nice to have something in the BaseApplicationListenerRuleProps to address that

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

@lanwen lanwen added feature-request needs-triage labels Feb 17, 2020
@SomayaB SomayaB added the @aws-cdk/aws-elasticloadbalancing label Feb 17, 2020
@rix0rrr rix0rrr added the effort/medium label Feb 18, 2020
@enricopesce
Copy link

@enricopesce enricopesce commented Feb 20, 2020

I have spent one day and I can't find a way to use oidc.. very difficult, no examples, no documentation :(

@SomayaB SomayaB removed the needs-triage label Mar 5, 2020
@dr3s
Copy link

@dr3s dr3s commented Apr 9, 2020

for those using ecs patterns, I had to do this:

const secret = sm.Secret.fromSecretAttributes(this, "OauthSecret", {
      secretArn:
        "arn:aws:secretsmanager:oauthsecretarn",
    });

    const clientSecret = secret.secretValueFromJson("clientSecretKey");

    let listenerCF = service.listener.node.defaultChild as CfnListener;

    listenerCF.defaultActions = cdk.Lazy.anyValue({
      produce: () => [
        {
          authenticateOidcConfig: {
            authorizationEndpoint: "https://mydomain.auth0.com/authorize",
            clientId: "1",
            clientSecret: clientSecret,
            scope: "openid",
            issuer: "https://mydomain.auth0.com/",
            tokenEndpoint: "https://mydomain.auth0.com/oauth/token",
            userInfoEndpoint: "https://mydomain.auth0.com/userinfo",
            sessionCookieName: "AWSELBAuthSessionCookie",
            sessionTimeout: 604800,
            onUnauthenticatedRequest: "authenticate",
            //don't forget to change timeout and cookie name
          },
          type: "authenticate-oidc",
          order: 1,
        },
        ...(<any>service.listener).defaultActions,
      ], // here we pass previous action after our new
    });
    // make sure the previous first action is after auth
    listenerCF.addPropertyOverride("DefaultActions.1.Order", 2);
  }

rix0rrr added a commit that referenced this issue May 1, 2020
Add support for more complex Action setups. Adds authentication
using OIDC or Cognito, and proper support for fixed responses,
redirects, and weighted TargetGroup forwarding and stickiness.

Fixes #2563, fixes #6310, fixes #6308.
eladb added a commit that referenced this issue May 5, 2020
Implements `iam.OpenIdConnectProvider` through a custom resource.

See README for details.

Related #5388
Related #3949
Related #6308
mergify bot pushed a commit that referenced this issue May 6, 2020
Implements `iam.OpenIdConnectProvider` through a custom resource.

See README for details.

Related #5388
Related #3949
Related #6308
karupanerura pushed a commit to karupanerura/aws-cdk that referenced this issue May 7, 2020
Implements `iam.OpenIdConnectProvider` through a custom resource.

See README for details.

Related aws#5388
Related aws#3949
Related aws#6308
@mergify mergify bot closed this as completed in #7741 May 18, 2020
mergify bot pushed a commit that referenced this issue May 18, 2020
### Commit Message
feat(elbv2): full Action support

Add support for more complex Action setups. Adds authentication
using OIDC or Cognito, and proper support for fixed responses,
redirects, and weighted TargetGroup forwarding and stickiness.

Fixes #2563, fixes #6310, fixes #6308.
### End Commit Message

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
karupanerura pushed a commit to karupanerura/aws-cdk that referenced this issue May 22, 2020
### Commit Message
feat(elbv2): full Action support

Add support for more complex Action setups. Adds authentication
using OIDC or Cognito, and proper support for fixed responses,
redirects, and weighted TargetGroup forwarding and stickiness.

Fixes aws#2563, fixes aws#6310, fixes aws#6308.
### End Commit Message

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-elasticloadbalancing effort/medium feature-request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants