Publié le : Par : wtidas Publié dans Aws|Devops

Aws application load balancer and Okta Oidc

Aws application load balancer and Okta Oidc

In this article we will see how to add Okta authentication behind the Aws load balancer with Terraform.

Create the Okta Application

From Okta → Applications click on the Add Application and then Create New App

Select the Platform Web and OpenID Connect for Sign on method and click on Create

Once created you landing on the OpenId integration page

Name your application 

The login redirect should be your DNS Record/oauth2/v1/authorize

lets say the record here is myrecord.okta.com

Once saved you will be on the App configuration page.

Let’s see some settings. 

The grant type should be Authorization Code that means the code is returned from the Authorization Endpoint and all tokens are returned from the Token Endpoint.

Login redirect URIs →  should be https://DNS/oauth2/idpresponse more information on https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Logout redirect URIs → Can be your Okta tenant or whatever you want

Login initiated by → App Only 

Initiated Login URI  → You can directly put your application url to launch it directly from Okta

In the Client Credentials part  you will find two importants informations that are used on the Load Balancer. 

Client ID ⇒  The application identifier used on the header 

Client secret  ⇒ The secret is used to exchange the authorization code 

Terraform configuration 

Now we have our Okta application configured and we have to write our Aws configuration. 

Firstly we create the Load Balancer follow the terraform doc about it : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb

resource "aws_lb" "alb_test" {
 name               = "alb_test"
 subnets            = aws_subnet.public.*.id
 internal           = false
 load_balancer_type = "application"
 security_groups    = [aws_security_group.lb_sg.id]
 
 tags = {
   Name     = "alb_test"
   Project  = "production"
 }
}

Once the Load balancer is created we can create the target group that we will reach. 

Resource "aws_lb_target_group" "test_tg" {
 name     = "test_tg"
 port     = 80
 protocol = "HTTP"
 vpc_id   = module.core.main.id
}
 
resource "aws_lb_target_group_attachment" "test_tga" {
 target_group_arn = aws_lb_target_group.alb_test.arn
 target_id        = aws_instance.your_ec2_instance.id
 port             = 80
}

We can now create our Listener settings.

Remind A listener is a process that checks for connection requests, using the protocol and port that you configure. The rules that you define for a listener determine how the load balancer routes requests to its registered targets.

Firstly we create a listener on the http port and we redirect it on https 

resource "aws_lb_listener" "lb_l_80" {
 load_balancer_arn = aws_lb.alb_test.arn
 port              = "80"
 protocol          = "HTTP"
 
 default_action {
   // redirect to https
   type = "redirect"
 
   redirect {
     port        = "443"
     protocol    = "HTTPS"
     status_code = "HTTP_301"
   }
 }
}

The listener http is redirected to the https listener that we will create 

resource "aws_lb_listener" "lb_443" {
 load_balancer_arn = aws_lb.alb_test.arn
 port              = "443"
 protocol          = "HTTPS"
 ssl_policy        = "ELBSecurityPolicy-2016-08"
 certificate_arn   = var.alb_certificate_arn

Well now is time to create the default action remember the default action acting on default when we contact the Load balancer.

default_action {
   type = "authenticate-oidc"
   authenticate_oidc {
     authorization_endpoint = "https://myrecord.okta.com/oauth2/v1/authorize"
     client_id              = 0oa6d4cqxdDaSPkTO357
     client_secret          = wYfvk4_DW_dBtnMTvf2Gv22EC0-Qhn6wDEBWHswn
     issuer                 = "https://myrecord.okta.com"
     token_endpoint         = "https://myrecord.okta.com/oauth2/v1/token"
     user_info_endpoint     = "https://myrecord.okta.com/oauth2/v1/userinfo"
     session_cookie_name        = "AWSELBAuthSessionCookie"
     session_timeout            = "300"
     scope                      = "openid profile"
     on_unauthenticated_request = "authenticate"
   }
 }
 default_action {
   type             = "forward"
   target_group_arn = aws_lb_target_group.test_tg.arn
 }
}

We can take a look what is done on aws :

We have now finished when we will join the loadbalancer we will redirected to Okta. You can add some spécifics rules. Do note hesitate read more on https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule You are not limited on Okta Apps so you can create as many applications as rules on the loadbalancer.

Note If you note allowed to the application you will be have a 401 returned.

Thank you for reading !