AWS ALB support for built-in authentication

[kamaz]

At the moment ALB event only support two options allow and deny but there is no option to configure built-in authentication in ALBs.

Use case description

Ability to utilise the ALB and cognito feature to built-in authentication support for in ALBs.

Proposed solution

Extend the existing logic:

serverless/lib/plugins/aws/package/compile/events/alb/lib/validate.js

Line 220 in 3fe2e98

auth.onUnauthenticatedRequest = auth.allowUnauthenticated ? 'allow' : 'deny';

To add a new field for backward compatibility e.g. authenticationMode to support the following options:

• allow
• deny
• authenticate

if both fields authenticationMode and allowUnauthenticated are defined return an error.

Reference Link

https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/

[medikoo]

@kamaz great thanks for proposal. It'll definitely be a worthwhile addition. One question.

Will setting authenticate to onUnauthenticatedRequest be all that's needed to configure
built-in authentication? Or will (or may) it need and additional configuration for its fine tuning?

[kamaz]

@medikoo

When it comes to cognito that is the only change required. Of course, there are other types supported like oidc which I'm not sure about. But looking into AWS CloudFormation documentation values are common between both of them.

Link to oidc and cognito CloudFormation:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listenerrule-authenticatecognitoconfig.html#cfn-elasticloadbalancingv2-listenerrule-authenticatecognitoconfig-onunauthenticatedrequest
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listenerrule-authenticateoidcconfig.html#cfn-elasticloadbalancingv2-listenerrule-authenticateoidcconfig-onunauthenticatedrequest

And example condition:

{
    "Type": "authenticate-cognito",
    "AuthenticateCognitoConfig": {
        "UserPoolArn": "arn:aws:cognito-idp:eu-west-2:******:userpool/*****",
        "UserPoolClientId": "******",
        "UserPoolDomain": "******",
        "SessionCookieName": "AWSELBAuthSessionCookie",
        "Scope": "openid",
        "SessionTimeout": 604800,
        "AuthenticationRequestExtraParams": {},
        "OnUnauthenticatedRequest": "authenticate"
    },
    "Order": 1
}

[medikoo]

I suggest that we introduce onUnauthenticatedRequest and support three options 'allow', 'deny' (default as it is now) and 'authenticate'.

In case both (onUnauthenticatedRequest and allowUnauthenticated) are provided. I would silently favor onUnauthenticatedRequest, but I would also deprecate allowUnauthenticated to not support two different ways to achieve same thing.

We've introduced deprecations handling with #7422, first implemented example can be found here: #7759

What do you think?

[kamaz]

Yes, that sounds good. I should have something ready today for initial review.