AWS ALB Azure AD OIDC Provider

README.md

Example AWS CDK code for adding Azure AD OIDC provider in AWS ALB

AWS documentation https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

You can configure an Application Load Balancer to securely authenticate users as they access your applications. This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic.

See also

• https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens

aws-cdk-alb-oidc.ts

const exampleAddOidcProviderInAlb = () => {
  const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, `${env}-Alb`, {
    vpc,
    internetFacing: true,
  });

  const zone = route53.HostedZone.fromHostedZoneAttributes(stack, 'HostedZone', zoneAttrs);
  const record = new route53.ARecord(stack, 'ARecord', {
    zone,
    target: route53.RecordTarget.fromAlias(new targets.LoadBalancerTarget(loadBalancer)),
    recordName,
  });
  const cert = new acm.Certificate(stack, 'WildcardCertificate', {
    domainName: `*.${zoneAttrs.zoneName}`,
    validation: acm.CertificateValidation.fromDns(zone),
  });

  // Redirect from HTTP to HTTPS
  loadBalancer.addListener('listener-http', {
    port: 80,
    defaultAction: elbv2.ListenerAction.redirect({
      protocol: 'HTTPS',
      port: '443',
    }),
  });
  const sg = new ec2.SecurityGroup(stack, 'sg', { vpc, });
  // Allow AWS OIDC provider access - https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/
  sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443));
  loadBalancer.addSecurityGroup(sg);

  const httpsListener = loadBalancer.addListener('listener-https', {
    port: 443,
    defaultAction: elbv2.ListenerAction.fixedResponse(503),
    certificates: [cert],
  });
  const target = httpsListener.addTargets('target-https', {
    priority: 20,
    conditions: [elbv2.ListenerCondition.pathPatterns(['/*'])],
    targets: [service],
    port: 80,
    healthCheck,
  });
  httpsListener.addAction('DefaultAction', {
    priority: 10,
    conditions: [elbv2.ListenerCondition.pathPatterns(['/auth/*'])],
    action: elbv2.ListenerAction.authenticateOidc({
      authorizationEndpoint: 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize',
      clientId: CLIENT_ID,
      clientSecret: cdk.SecretValue.secretsManager(`AZURE-AD_CLIENT_SECRET`),
      issuer: 'https://login.microsoftonline.com/<TENANT_ID>/v2.0',
      tokenEndpoint: 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token',
      userInfoEndpoint: 'https://graph.microsoft.com/oidc/userinfo',
      next: elbv2.ListenerAction.forward([target]),
    }),
  });

  httpsListener.addTargets('target-https-unauth', {
    priority: 50,
    conditions: [elbv2.ListenerCondition.pathPatterns(['/unauth*'])],
    targets: [service],
    port: 80,
    healthCheck,
  });
}