Login/Register
How to implement the Client Credentials Grant in AWS ALB
Asked Answered
amazon-web-servicesopenid-connectamazon-elbaws-alb
D

1

8

I am trying to implement ALB with OIDC for grant type Client Credentials.

I have given Issuer, Token endpoint, Client ID, and Client Secret, Authorization endpoint and User info endpoint in Listeners tab of ALB

But i get 400 invalid redirect_uri while trying to access the url.

Diploid answered 6/11, 2019 at 19:1 Comment(6)
ALB supports grant code authorization flow only officially. But you don't need any SP part for client credentials flow. Just create an access token and save it into authentication session cookie, used by ALB. It should works.Gerena
@JanGaraj - Just OOI have you ever got this to work? I've been banging my head against this for hours. I've been trying to use curl to make a request which authenticates against Okta using OIDC from my ALB. However the ALB logs are recording AuthInvalidCookie. Any ideas?Iconoduly
We changed ur architecture, cos AWS ALB does not support client credentials.Diploid
Thanks @ViyaanJhiingade. I was convinced that it should be possible based on their documention by faking the session cookie with the correct name. For some reason it just didn't work.Iconoduly
@ViyaanJhiingade - What architecture did you wind up with that supported client credentials grant? Did you also have to support the Authorization Code Grant?Perspicuity
@AlexBarnes I'm afraid I was not able to find something like that in their documentation. We ended up writing our own logic to perform the token verificationBeeson
C
5

We explored ALB for client credentials authentication but failed to implement that. After checking with AWS support team, we got confirmation that AWS ALB don't support Client credential authentication mechanism and supports only Authentication code flow.

We switched to AWS API gateway with lambda authoriser to implement client credential flow.

Canakin answered 24/3, 2022 at 19:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.