'As a client app, how do I get the 'x-amzn-oidc-*' headers forwaded to me from Amazon Load Balancers (ALB)?

I'm planning on setting up ALB (Amazon Load Balancer) for authentication. It'll sit in front of my client app and only forward authenticated requests with the access_token and user claim jwt's as headers, x-amzn-oidc-accesstoken + x-amzn-oidc-data respectively [0].

My client application will need to capture these forwarded headers and store them in localStorage for accessing other AWS resources in later requests (ex. S3).

If I'm the client app receiving the ALB request, how would I intercept these headers? Would they come in as a request or response?

[0] See step #10 in the diagram: https://www.exampleloadbalancer.com/auth_detail.html

httphttp-headersreverse-proxy


Solution 1:[1]

These headers wouldn't be received by your client by default. The client makes a request to the ALB and, after the user is authenticated, the ALB would pass the headers to your backend.

If the client needs these headers, your backend could add them to the response headers and your client could then retrieve them there.

That being said, keep in mind that if you do return these headers to the client, that anyone using some simple browser debug tools can see the headers and then craft their own requests using them. It may be better add the functionality that you need to the backend so that no credentials are potentially exposed to users.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

How does webserver handle HTTP POST [closed]

HTTP response code for POST when resource already exists

Python: How do I get key/value pairs from the BaseHTTPRequestHandler HTTP POST handler?

How to resolve the issue of HTTP ERROR 405 [closed]

Getting directory listing over http

How do I use Django piston to return a response in text/plain?

How websockets can be faster than a simple HTTP request?

Angular 7: Sending post request gives error 405 (Method not allowed)

How progressive rendering works?

HTTP simultaneous connections per host limit... are per tab, browser instance or global?

Get a JSON file (that contains Hebrew values) from a remote server and parse it in Node.js

Python requests speed up using keep-alive

RESTful - What should a DELETE response body contain

Check if online resource is reachable with JavaScript, not requiring the The Same Origin Policy to allow it

Better Event centric way to solve request-reply problem in Kafka or any streaming service