High-level support for AWS::ElasticLoadBalancingV2::Listener AuthenticateOidcConfig

[lanwen]

Currently there is no obvious way other than low-level resources to get https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

To integrate it with the existing listeners, I have to do something like this:

 const listener = elbv2.ApplicationListener.fromApplicationListenerAttributes(this, "InternalVPCListener", { 
            listenerArn: "arn:aws:elasticloadbalancing:..:listener/app/lsdksjfdsf-21IW/9a3d8768a479f7f6/c99babbc37014371",
            securityGroupId: "sg-07a315ff"
        });

        const rule = new elbv2.ApplicationListenerRule(this, "ListenerRule", {
            priority: 5,
            listener: listener,
            hostHeader: 'host.example.com',
        });

        rule.actions[0].order = 2;
        rule.node.defaultChild.actions = cdk.Lazy.anyValue({
            produce: () => [{
                authenticateOidcConfig: {
                    authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
                    clientId: "1",
                    clientSecret: "2",
                    issuer: "https://accounts.google.com",
                    tokenEndpoint: "https://oauth2.googleapis.com/token",
                    userInfoEndpoint: "https://openidconnect.googleapis.com/v1/userinfo"
                },
                type: "authenticate-oidc",
                order: 1
            }, ...rule.actions]
        });

Use Case

Usecase I faced - is to authenticate some target behind ALB like described in the article
https://cloudonaut.io/how-to-secure-your-devops-tools-with-alb-authentication/?ck_subscriber_id=640789667

Proposed Solution

Would be nice to have something in the BaseApplicationListenerRuleProps to address that

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[enricopesce]

I have spent one day and I can't find a way to use oidc.. very difficult, no examples, no documentation :(

[dr3s]

for those using ecs patterns, I had to do this:

const secret = sm.Secret.fromSecretAttributes(this, "OauthSecret", {
      secretArn:
        "arn:aws:secretsmanager:oauthsecretarn",
    });

    const clientSecret = secret.secretValueFromJson("clientSecretKey");

    let listenerCF = service.listener.node.defaultChild as CfnListener;

    listenerCF.defaultActions = cdk.Lazy.anyValue({
      produce: () => [
        {
          authenticateOidcConfig: {
            authorizationEndpoint: "https://mydomain.auth0.com/authorize",
            clientId: "1",
            clientSecret: clientSecret,
            scope: "openid",
            issuer: "https://mydomain.auth0.com/",
            tokenEndpoint: "https://mydomain.auth0.com/oauth/token",
            userInfoEndpoint: "https://mydomain.auth0.com/userinfo",
            sessionCookieName: "AWSELBAuthSessionCookie",
            sessionTimeout: 604800,
            onUnauthenticatedRequest: "authenticate",
            //don't forget to change timeout and cookie name
          },
          type: "authenticate-oidc",
          order: 1,
        },
        ...(<any>service.listener).defaultActions,
      ], // here we pass previous action after our new
    });
    // make sure the previous first action is after auth
    listenerCF.addPropertyOverride("DefaultActions.1.Order", 2);
  }