Skip to content

feat(elasticloadbalancingv2): add authenticateJwtWithCognito and allowHttpsOutbound for JWT action#37494

Open
badmintoncryer wants to merge 42 commits intoaws:mainfrom
badmintoncryer:jwt-cognito
Open

feat(elasticloadbalancingv2): add authenticateJwtWithCognito and allowHttpsOutbound for JWT action#37494
badmintoncryer wants to merge 42 commits intoaws:mainfrom
badmintoncryer:jwt-cognito

Conversation

@badmintoncryer
Copy link
Copy Markdown
Contributor

@badmintoncryer badmintoncryer commented Apr 2, 2026
edited
Loading

Issue

None

Reason for this change

When using a Cognito User Pool with ListenerAction.authenticateJwt(), we currently have to manually construct the issuer and JWKS endpoint URLs.

This PR is based on this comment in #36099 .

Description of changes

∙ Added ListenerAction.authenticateJwtWithCognito(), which automatically builds the issuer and JWKS endpoint URLs simply by passing a Cognito User Pool.
∙ Added an allowHttpsOutbound option (default:false) to AuthenticateJwtAction that automatically allows outbound HTTPS (port 443) on the ALB Security Group, consistent with the behavior of the OIDC action (AuthenticateOidcAction). To avoid breaking change, I made the default value false.

Description of how you validated changes

Added both unit and integ tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

badmintoncryer and others added 30 commits November 19, 2025 08:02
@badmintoncryer
jwt verification
eb45588
@badmintoncryer
add integ
e2719ba
@badmintoncryer
add snapshot
c819047
@badmintoncryer
add https listener validation
1c51a85
@badmintoncryer
Merge branch 'main' into jwt
703ad21
@badmintoncryer
Merge branch 'main' into jwt
99018e3
@badmintoncryer
Merge branch 'main' into jwt
d727134
@badmintoncryer
Merge branch 'main' into jwt
746dab8
@badmintoncryer
Merge branch 'main' into jwt
41f0b47
@badmintoncryer
Merge branch 'main' into jwt
7aeca05
@badmintoncryer
Merge branch 'main' into jwt
9802ff3
@badmintoncryer
Merge branch 'main' into jwt
fac2942
@badmintoncryer
Merge remote-tracking branch 'origin/main' into jwt
b6fc5cd
@badmintoncryer
fix: reorder import statement for IListenerAction in application-list…
bbdd149 
…ener-action.ts
@badmintoncryer
Merge branch 'main' into jwt
0617d4b
@badmintoncryer
fix: update import statements for StackProps and Construct in integ.a…
2f2498c 
…lb.jwt.ts
@badmintoncryer
Merge remote-tracking branch 'origin/main' into jwt
c4d1502
@badmintoncryer
Merge remote-tracking branch 'origin/main' into jwt
ec785aa
@badmintoncryer
fix: add error code names to ValidationError calls after merging main
ef5d176
@badmintoncryer
Merge branch 'main' into jwt
8dd7149
@badmintoncryer
fix(elasticloadbalancingv2): add synth-time validation for JWT authen…
6144b2b 
…tication options

Add HTTPS protocol and 256-character length validation for jwksEndpoint
and issuer in AuthenticateJwtAction, catching misconfigurations at
synth-time rather than deploy-time.
@badmintoncryer
Merge branch 'main' into jwt
ff800ae
@badmintoncryer
Merge remote-tracking branch 'origin/main' into jwt-cognito
ed34586
@badmintoncryer
Merge branch 'main' into jwt
7b4eb97
@badmintoncryer
Merge remote-tracking branch 'origin/main' into jwt-cognito
4815a40
@badmintoncryer
fix(elasticloadbalancingv2): use lit tagged template for JWT error codes
4c9acee 
Update UnscopedValidationError calls in AuthenticateJwtAction to use
lit`...` tagged template literals for error code names, as required by
the LiteralString branded type introduced in aws#37381.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@badmintoncryer
Merge remote-tracking branch 'cryer/jwt' into jwt-cognito
f7461d7
@badmintoncryer
add integ
bcfa660
@badmintoncryer
Merge remote-tracking branch 'origin/main' into jwt-cognito
1d6ca75
@badmintoncryer
add integ
3665839
@badmintoncryer badmintoncryer marked this pull request as ready for review April 6, 2026 14:59
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 7, 2026
@badmintoncryer
feat(elasticloadbalancingv2): add allowHttpsOutbound to authenticateJ…
23c4c37 
…wtWithCognito and warning when disabled

- Add allowHttpsOutbound option to AuthenticateJwtWithCognitoOptions
- Pass allowHttpsOutbound through to AuthenticateJwtAction in authenticateJwtWithCognito
- Emit annotation warning when allowHttpsOutbound is false to remind users
  to configure outbound HTTPS in the ALB's security group manually
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@badmintoncryer @aws-cdk-automation