AWS::ElasticLoadBalancingV2::ListenerRule AuthenticateOidcConfig - AWS CloudFormation (original) (raw)
Specifies information required using an identity provide (IdP) that is compliant with OpenID Connect (OIDC) to authenticate users.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"AuthenticationRequestExtraParams" : {Key: Value, ...},
"AuthorizationEndpoint" : String,
"ClientId" : String,
"ClientSecret" : String,
"Issuer" : String,
"OnUnauthenticatedRequest" : String,
"Scope" : String,
"SessionCookieName" : String,
"SessionTimeout" : Integer,
"TokenEndpoint" : String,
"UseExistingClientSecret" : Boolean,
"UserInfoEndpoint" : String
}
YAML
AuthenticationRequestExtraParams:
Key: Value
AuthorizationEndpoint: String
ClientId: String
ClientSecret: String
Issuer: String
OnUnauthenticatedRequest: String
Scope: String
SessionCookieName: String
SessionTimeout: Integer
TokenEndpoint: String
UseExistingClientSecret: Boolean
UserInfoEndpoint: String
Properties
The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
Required: No
Type: Object of String
Pattern: [a-zA-Z0-9]+
Update requires: No interruption
The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
Required: Yes
Type: String
Update requires: No interruption
ClientId
The OAuth 2.0 client identifier.
Required: Yes
Type: String
Update requires: No interruption
ClientSecret
The OAuth 2.0 client secret. This parameter is required if you are creating a rule. If you are modifying a rule, you can omit this parameter if you setUseExistingClientSecret to true.
Required: No
Type: String
Update requires: No interruption
Issuer
The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
Required: Yes
Type: String
Update requires: No interruption
OnUnauthenticatedRequest
The behavior if the user is not authenticated. The following are possible values:
- deny`` - Return an HTTP 401 Unauthorized error.
- allow`` - Allow the request to be forwarded to the target.
- authenticate`` - Redirect the request to the IdP authorization endpoint. This is the default value.
Required: No
Type: String
Allowed values: deny | allow | authenticate
Update requires: No interruption
Scope
The set of user claims to be requested from the IdP. The default isopenid.
To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.
Required: No
Type: String
Update requires: No interruption
SessionCookieName
The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie.
Required: No
Type: String
Update requires: No interruption
SessionTimeout
The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days).
Required: No
Type: Integer
Update requires: No interruption
TokenEndpoint
The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
Required: Yes
Type: String
Update requires: No interruption
UseExistingClientSecret
Indicates whether to use the existing client secret when modifying a rule. If you are creating a rule, you can omit this parameter or set it to false.
Required: No
Type: Boolean
Update requires: No interruption
UserInfoEndpoint
The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
Required: Yes
Type: String
Update requires: No interruption