FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Known-good configuration for OIDC auth from AWS ELB?

    Scheduled Pinned Locked Moved
    Q&A
    0
    2
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jsp
      last edited by

      Does anyone have FA successfully working as an idP for AWS Elastic Load Balancer, using ELB's built-in OIDC functionality?

      I have been successfully using ELB with AzureAD as an OIDC idP, but would like to add a new instance with FusionAuth+passwordless. So far my efforts have not been successful, and I have very little to go on.

      I've been able to get a redirect to the login UI, login works, but then the load balancer returns 500 Internal Server Error at /oauth2/idpresponse?code=[xxx]&locale=en_US&state=[xxx]&userState=Authenticated. As a managed service, AWS is kind of a black box but what bothers me is FA doesn't appear to be doing anything either. Even with debugging enabled, I have yet to see any debugging log of any kind -- I turned it off and on again, re-saved, even created a whole new app and still nothing.

      Amazon suggests a 500 error could be due to communicating with the idP, but without debugging on either side I can't really determine what's happening.

      I have tried both 1.28.0 and 1.28.1 from deb packages, on Ubuntu 20.04 LTS. Any tips most welcome, I'm scratching my head here.

      1 Reply Last reply Reply Quote 0
      • joshuaJ
        joshua
        last edited by

        @jsp

        I am personally not aware of any repos that are community-driven proving this integration. However, from the AWS doc

        HTTP 500: Internal server error
Possible causes:

You configured an AWS WAF web access control list (web ACL) and there was an error executing the web ACL rules.

The load balancer is unable to communicate with the IdP token endpoint or the IdP user info endpoint. Verify that the security groups for your load balancer and the network ACLs for your VPC allow outbound access to these endpoints. Verify that your VPC has internet access. If you have an internal-facing load balancer, use a NAT gateway to enable internet access.

        In referencing above:

        • Have you confirmed that your WAF has the correct entries?
        • For the second part, have you verified that you have access to the token, and userinfo endpoint from AWS to Fusionauth?

        /oauth2/idpresponse?code=[xxx]&locale=en_US&state=[xxx]&userState=Authenticated.

        The "Authenticated" part of your return URL is encouraging.

        You can also view all FusionAuth logs (you may have already) here:
        https://fusionauth.io/docs/v1/tech/troubleshooting/#logs
        for additional clues.

        Thanks,
        Josh

        1 Reply Last reply Reply Quote 0
        • First post
          Last post