Question 201628 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – ECS Service can't obtain configuration from Cognito

I have a .NET application which has AddAuthentication() and UseAuthentication() for my application. Users are authenticated using Cognito.

  services
            .AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(options =>
            {
                options.RequireHttpsMetadata = true;
                options.MapInboundClaims = false;
                options.Authority = _config.Cognito.Authority;
                options.MetadataAddress = _config.Cognito.Metadata;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    RoleClaimType = "cognito:groups",
                    NameClaimType = "username",
                    ValidateIssuer = true,
                    ValidateAudience = false,
                    RequireExpirationTime = false
                };
            });

When I run my application from a local machine and attach to cognito user pool, then it works like a charm.

As soon as I try to connect to the same application by DNS name deployed in ECS, I always face the following issue:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://cognito-idp.eu-central-1.amazonaws.com/{userPoolId}/.well-known/openid-configuration'.

All ipv4 addresses are whitelisted for 80 and 433 ports in my ALB. Would be amazing to get the direction how to deal with the issue.

Thanks!

UPDATE: ECS cluster is placed in default VPC and a public subnets with routes to IGW. In the same cluster, I have few scheduled tasks that are able to call external APIs without any issues.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Finally, the issue has been solved. As soon as update the network type from AWS_VPC to BRIDGE, my ECS service started to send and receive traffic from the internet. Many thanks to Mark for heading me to the right direction.


  2. 0

    All ipv4 addresses are whitelisted for 80 and 433 ports in my ALB.

    That error is completely unrelated to your ALB. Your server is trying to connect to that URL to download the OpenID configuration data. The server is initiating a connection to that URL, which does not involve the load balancer at all. Load balancers are only involved with incoming connections and their responses, not outgoing connections.

    Since that URL exists outside of the VPC, the ECS task needs to be configured in one of the two following ways, in order to give it network access to resources outside of the VPC:

    • Have public IP address enabled, and be deployed in a public VPC subnet (a subnet with a route to an Internet Gateway)
    • Be deployed in a private VPC subnet with a route to a NAT Gateway (the NAT Gateway would need to be in a public subnet)
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search