AWS ALB + Cognito ​

ALB checks users’ request headers for an AWSELB authentication session cookie.

ALB redirects unauthenticated users to a login page, which is hosted by AWS Cognito hosted UI.

When users successfully sign in, AWS Cognito redirects them back to the ALB with an authorization grant code

ALB presents the authorization grant code back to the AWS Cognito's token endpoint and receives ID and access tokens.

ALB exchanges the access token with AWS Cognito's user info endpoint for user claims which contains user's email, phone number, etc.

Then ALB redirects user back to the orignial URI, this time setting the AWSELB authentication session cookie.

![[Pasted image 20230221142651.png]]

#aws