AWS::ElasticLoadBalancingV2::ListenerRule AuthenticateOidcConfig

Specifies information required using an identity provide (IdP) that is compliant with OpenID Connect (OIDC) to authenticate users.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "AuthenticationRequestExtraParams" : {Key: Value, ...},
  "AuthorizationEndpoint" : String,
  "ClientId" : String,
  "ClientSecret" : String,
  "Issuer" : String,
  "OnUnauthenticatedRequest" : String,
  "Scope" : String,
  "SessionCookieName" : String,
  "SessionTimeout" : Integer,
  "TokenEndpoint" : String,
  "UseExistingClientSecret" : Boolean,
  "UserInfoEndpoint" : String
}

YAML


  AuthenticationRequestExtraParams: 
    Key: Value
  AuthorizationEndpoint: String
  ClientId: String
  ClientSecret: String
  Issuer: String
  OnUnauthenticatedRequest: String
  Scope: String
  SessionCookieName: String
  SessionTimeout: Integer
  TokenEndpoint: String
  UseExistingClientSecret: Boolean
  UserInfoEndpoint: String

Properties

AuthenticationRequestExtraParams

The query parameters (up to 10) to include in the redirect request to the authorization endpoint.

Required: No

Type: Object of String

Pattern: [a-zA-Z0-9]+

Update requires: No interruption

AuthorizationEndpoint

The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.

Required: Yes

Type: String

Update requires: No interruption

ClientId

The OAuth 2.0 client identifier.

Required: Yes

Type: String

Update requires: No interruption

ClientSecret

The OAuth 2.0 client secret. This parameter is required if you are creating a rule. If you are modifying a rule, you can omit this parameter if you set UseExistingClientSecret to true.

Required: No

Type: String

Update requires: No interruption

Issuer

The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.

Required: Yes

Type: String

Update requires: No interruption

OnUnauthenticatedRequest

The behavior if the user is not authenticated. The following are possible values:

deny - Return an HTTP 401 Unauthorized error.
allow - Allow the request to be forwarded to the target.
authenticate - Redirect the request to the IdP authorization endpoint. This is the default value.

Required: No

Type: String

Allowed values: deny | allow | authenticate

Update requires: No interruption

Scope

The set of user claims to be requested from the IdP. The default is openid.

To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.

Required: No

Type: String

Update requires: No interruption

SessionCookieName

The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie.

Required: No

Type: String

Update requires: No interruption

SessionTimeout

The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days).

Required: No

Type: Integer

Update requires: No interruption

TokenEndpoint

The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.

Required: Yes

Type: String

Update requires: No interruption

UseExistingClientSecret

Indicates whether to use the existing client secret when modifying a rule. If you are creating a rule, you can omit this parameter or set it to false.

Required: No

Type: Boolean

Update requires: No interruption

UserInfoEndpoint

The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.

Required: Yes

Type: String

Update requires: No interruption

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AuthenticateCognitoConfig

FixedResponseConfig