AuthenticateOidcOptions

class aws_cdk.aws_elasticloadbalancingv2.AuthenticateOidcOptions(*, authorization_endpoint, client_id, client_secret, issuer, next, token_endpoint, user_info_endpoint, allow_https_outbound=None, authentication_request_extra_params=None, on_unauthenticated_request=None, scope=None, session_cookie_name=None, session_timeout=None)

Bases: object

Options for ListenerAction.authenciateOidc().

Parameters:

  • authorization_endpoint (str) – The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.

  • client_id (str) – The OAuth 2.0 client identifier.

  • client_secret (SecretValue) – The OAuth 2.0 client secret.

  • issuer (str) – The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.

  • next (ListenerAction) – What action to execute next.

  • token_endpoint (str) – The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.

  • user_info_endpoint (str) – The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.

  • allow_https_outbound (Optional[bool]) – Allow HTTPS outbound traffic to communicate with the IdP. Set this property to false if the IP address used for the IdP endpoint is identifiable and you want to control outbound traffic. Then allow HTTPS outbound traffic to the IdP’s IP address using the listener’s connections property. Default: true

  • authentication_request_extra_params (Optional[Mapping[str, str]]) – The query parameters (up to 10) to include in the redirect request to the authorization endpoint. Default: - No extra parameters

  • on_unauthenticated_request (Optional[UnauthenticatedAction]) – The behavior if the user is not authenticated. Default: UnauthenticatedAction.AUTHENTICATE

  • scope (Optional[str]) – The set of user claims to be requested from the IdP. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP. Default: “openid”

  • session_cookie_name (Optional[str]) – The name of the cookie used to maintain session information. Default: “AWSELBAuthSessionCookie”

  • session_timeout (Optional[Duration]) – The maximum duration of the authentication session. Default: Duration.days(7)

ExampleMetadata:

infused

Example:

# listener: elbv2.ApplicationListener
# my_target_group: elbv2.ApplicationTargetGroup


listener.add_action("DefaultAction",
    action=elbv2.ListenerAction.authenticate_oidc(
        authorization_endpoint="https://example.com/openid",
        # Other OIDC properties here
        client_id="...",
        client_secret=SecretValue.secrets_manager("..."),
        issuer="...",
        token_endpoint="...",
        user_info_endpoint="...",

        # Next
        next=elbv2.ListenerAction.forward([my_target_group])
    )
)

Attributes

allow_https_outbound

Allow HTTPS outbound traffic to communicate with the IdP.

Set this property to false if the IP address used for the IdP endpoint is identifiable and you want to control outbound traffic. Then allow HTTPS outbound traffic to the IdP’s IP address using the listener’s connections property.

Default:

true

See:

https://repost.aws/knowledge-center/elb-configure-authentication-alb

authentication_request_extra_params

The query parameters (up to 10) to include in the redirect request to the authorization endpoint.

Default:

  • No extra parameters

authorization_endpoint

The authorization endpoint of the IdP.

This must be a full URL, including the HTTPS protocol, the domain, and the path.

client_id

The OAuth 2.0 client identifier.

client_secret

The OAuth 2.0 client secret.

issuer

The OIDC issuer identifier of the IdP.

This must be a full URL, including the HTTPS protocol, the domain, and the path.

next

What action to execute next.

on_unauthenticated_request

The behavior if the user is not authenticated.

Default:

UnauthenticatedAction.AUTHENTICATE

scope

The set of user claims to be requested from the IdP.

To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.

Default:

“openid”

The name of the cookie used to maintain session information.

Default:

“AWSELBAuthSessionCookie”

session_timeout

The maximum duration of the authentication session.

Default:

Duration.days(7)

token_endpoint

The token endpoint of the IdP.

This must be a full URL, including the HTTPS protocol, the domain, and the path.

user_info_endpoint

The user info endpoint of the IdP.

This must be a full URL, including the HTTPS protocol, the domain, and the path.