We run the following setup:
- AWS Load Balancer (ALB) with Listener configured to authenticate requests via OIDC. Our OIDC Server is Keycloak
- When authentication completed, the request is forwarded to our nginx, acting as Reverse Proxy.
- Frontends are stored in AWS S3 and proxied through the nginx.
This work as expected (fine).
Our problem occurs when calling our backend services from the Webbrowser.
For example:
setInterval(() => {
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://our-backend-api-via.reverse.proxy.com');
xhr.send();
}, 1000);
This works fine until the AccessToken is expired (60s). Then our backend will see that the token is expired and returns HTTP 401 for multiple times.. after a while (20 seconds) a new AccessToken is received and the backends responses fine.
The process of getting new accessToken via AWS ALB seems to be a blackbox for us, we cannot explain why expired accessTokens are send to our backends, shouldn’t the AWS ALB renew the token in time?
2
Answers
It was an implementation error. We have used the original JWT provided from Keycloak to verify the expiration time.
The correct way is to use the token provided by alb via x-oidc-amazon-data header.
You have wrong infra for your use case. ALB OIDC auth is intended for webapps. Your case looks like a SPA = frontend in the browser will be responsible to manage auth state = it will be watching token validity and it will trigger token refresh before token expiration,…