How can I use Meta and Amazon Cognito as identity providers to authenticate Application Load Balancer users?

4 minute read
0

I want to use Meta and Amazon Cognito as the identity providers (IdPs) for my Application Load Balancer authentication.

Short description

To securely authenticate users as they access your applications, configure an Application Load Balancer. To allow your applications to focus on business logic, have the load balancer authenticate users. The backend target runs only other business logic or services, such as a user profile and payments. The Application Load Balancer is responsible for only the authentication step and doesn't store user information. Configure Amazon Cognito and Meta to manage and authenticate users.

Resolution

Set up the Meta application

  1. Go to Meta for developers on the Meta website.
  2. In the navigation pane, choose My Apps.
  3. Choose Create App.
  4. Choose Allow people to log in with their Facebook account, and then choose Next.
  5. On the Details page, enter the following information:
    For Add an app name, enter a name for the application.
    For App contact email, enter an email for the application.
    (Optional) For Business Account, connect a business account to the application.
  6. Choose Create app.
  7. In the navigation pane, choose Products.
  8. On the Products page, for Facebook Login, choose Configure, and then choose Quickstart.
  9. Complete the following steps:
    For the applications platform, choose Web.
    For Site URL, enter the domain of the website, choose Save, and then choose Continue.
    For Set up the Facebook SDK for javascript, choose Next.
    For Check Login Status, choose Next.
    For Add the Facebook Login Button, choose Next.

To continue the configuration, you must set up your Amazon Cognito IdP.

Configure the Application Load Balancer and Amazon Cognito

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. Create an Application Load Balancer.
  3. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
  4. Select the Application Load Balancer that you created.
  5. Choose Listeners, and then choose Add listener.
  6. Choose HTTPS:443 or any port with the HTTPS protocol.
  7. For Action, choose Authenticate.
  8. Choose Amazon Cognito.
  9. For Cognito user pool, choose Create new.
  10. For Social IDP, choose Facebook.
  11. Go to Meta for developers on the Meta website.
  12. Select the application that you created.
  13. Choose Settings, and then choose Basic.
  14. Note the App ID.
  15. Choose Show.
  16. Enter your Facebook password, and then select the App Secret.
  17. Return to the Amazon Cognito setup page in the Amazon EC2 console. Then, enter the App ID and the App Secret.
  18. For Authorize scope, enter public_profile.
  19. Under Domain prefix, choose a unique name to append to the Amazon Cognito AWS Regional DNS service. For example, if you specify "abc" as your domain prefix, then your fully qualified domain name (FQDN) is https://abc.auth.us-east-2.amazoncognito.com/.
  20. Choose Create Cognito User pool.
  21. Enter the unique name that you specified in the preceding step.
  22. Add a rule to your HTTPS listener. Choose Forward to:, and then specify the target group name of your Application Load Balancer.
  23. Choose Save.

Complete the Meta application setup

  1. Open the Meta application that you created.
  2. In the navigation pane, choose Products.
  3. On the Products page, for Facebook Login, choose Configure, and then choose Settings.
  4. Under Client OAuth settings, for Valid OAuth Redirect URIs, enter the Amazon Cognito FQDN. Add /oauth2/idresponse as a suffix to the FQDN. For example, https://abc.auth.eu-west-1.amazoncognito.com/oauth2/idpresponse.
  5. Choose Save changes.
  6. In the navigation pane, under Settings, choose Basic.
  7. For App domains, enter the domain name that points to your Application Load Balancer.
  8. Choose Save changes.

Complete the Amazon Cognito setup

  1. Open the Amazon Cognito console.
  2. In the navigation pane, choose User pools.
  3. Choose the user pool that you configured.
  4. Choose App client settings.
  5. For Callback URL(s), enter the domain name that points to the Application Load Balancer. Then, add the /oauth2/idpresponse as a suffix. For example, https://www.example.com/oauth2/idpresponse.

Important: Facebook is a third-party application. The configuration steps can change over time. For the latest updates, refer to Meta's documentation on the Meta website.

Related information

Authenticate users using an Application Load Balancer

Simplify login with Application Load Balancer built-in authentication

Facebook (Identity pools)

Register with a social IdP

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago