-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
aws-elasticloadbalancingv2: ALB loadBalancerDnsName token does not resolve #26103
Comments
Using runtime logic (in this case, CallbackURLs:
- https://${token[token.744]}/oauth2/idpresponse
- https://${token[token.744]}/
ClientName: UserPoolClient
GenerateSecret: true
LogoutURLs:
- https://${token[token.744]}/ You can't use synth time logic on something not known until deploy time. If you remove the CallbackURLs:
- Fn::Join:
- ""
- - https://
- Fn::GetAtt:
- Alb16C2F182
- DNSName
- /oauth2/idpresponse
- Fn::Join:
- ""
- - https://
- Fn::GetAtt:
- Alb16C2F182
- DNSName
- /
ClientName: UserPoolClient
GenerateSecret: true
LogoutURLs:
- Fn::Join:
- ""
- - https://
- Fn::GetAtt:
- Alb16C2F182
- DNSName
- / Though, if you absolutely need to transform the name to lowercase, there will need to be a bit of a workaround. |
From the docs, "The callback URL in the app client settings must use all lowercase letters." When I omit Also, this is related to #11171. That suggests using a custom resource, which I suppose I could try although it seems to be an unconfirmed fix. |
Yes, I was going to suggest using a custom resource as well. If you have it take in the It looks like these are the same issues, so I'm going to close this in favor of that one. |
|
Describe the bug
Start with an ALB:
Now try to use that ALB's
loadBalancerDnsName
attribute in a Cognito User Pool Client's callback urls:With the above, I expect the token for the
alb.loadBalancerDnsName
to resolve much the same as an S3 bucket's name would resolve when setting it as an environment variable for a lambda function (which is shown in the docs for Tokens here).The issue is that the tokens do not resolve. If I look at the user pool client in the AWS console, you'll see:
Naturally this results in a
redirect_mismatch
error when trying to authenticate after visiting the ALB DNS:Expected Behavior
I expected the tokens for the load balancer's DNS name to resolve.
Current Behavior
The token values do not resolve.
Reproduction Steps
Here's a stack to reproduce:
Possible Solution
No idea. Current workaround is deploying the ALB first, grabbing the DNS as a
CfnOutput
, and then hardcoding. Not very ideal from an automation standpoint.Additional Information/Context
I've tried using Token.asString to generate a string encoding and calling
.toString()
on the token object, but the result is the same. However, that was merely out of desperation since thealb.loadBalancerDnsName
is supposed to already be a String.Additionally, the token does resolve when I use it to set an environment variable in an ECS container:
CDK CLI Version
2.85.0 (build 4e0d726)
Framework Version
No response
Node.js Version
16.20
OS
WSL (Ubuntu 22.04.2)
Language
Typescript
Language Version
4.9.4
Other information
No response
The text was updated successfully, but these errors were encountered: