Specifies information required using an identity provide (IdP) that is compliant with OpenID Connect (OIDC) to authenticate users.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"AuthenticationRequestExtraParams" : {Key: Value, ...},
"AuthorizationEndpoint" : String,
"ClientId" : String,
"ClientSecret" : String,
"Issuer" : String,
"OnUnauthenticatedRequest" : String,
"Scope" : String,
"SessionCookieName" : String,
"SessionTimeout" : String,
"TokenEndpoint" : String,
"UseExistingClientSecret" : Boolean,
"UserInfoEndpoint" : String
}
YAML
AuthenticationRequestExtraParams:
Key: Value
AuthorizationEndpoint: String
ClientId: String
ClientSecret: String
Issuer: String
OnUnauthenticatedRequest: String
Scope: String
SessionCookieName: String
SessionTimeout: String
TokenEndpoint: String
UseExistingClientSecret: Boolean
UserInfoEndpoint: String
Properties
AuthenticationRequestExtraParams-
The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
Required: No
Type: Object of String
Pattern:
[a-zA-Z0-9]+Update requires: No interruption
-
The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
Required: Yes
Type: String
Update requires: No interruption
ClientId-
The OAuth 2.0 client identifier.
Required: Yes
Type: String
Update requires: No interruption
ClientSecret-
The OAuth 2.0 client secret. This parameter is required if you are creating a rule. If you are modifying a rule, you can omit this parameter if you set
UseExistingClientSecretto true.Required: No
Type: String
Update requires: No interruption
Issuer-
The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
Required: Yes
Type: String
Update requires: No interruption
OnUnauthenticatedRequest-
The behavior if the user is not authenticated. The following are possible values:
-
deny
- Return an HTTP 401 Unauthorized error. -
allow
- Allow the request to be forwarded to the target. -
authenticate
- Redirect the request to the IdP authorization endpoint. This is the default value.
Required: No
Type: String
Allowed values:
deny | allow | authenticateUpdate requires: No interruption
-
Scope-
The set of user claims to be requested from the IdP. The default is
openid.To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.
Required: No
Type: String
Update requires: No interruption
-
The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie.
Required: No
Type: String
Update requires: No interruption
SessionTimeout-
The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days).
Required: No
Type: String
Update requires: No interruption
TokenEndpoint-
The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
Required: Yes
Type: String
Update requires: No interruption
UseExistingClientSecret-
Indicates whether to use the existing client secret when modifying a rule. If you are creating a rule, you can omit this parameter or set it to false.
Required: No
Type: Boolean
Update requires: No interruption
UserInfoEndpoint-
The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
Required: Yes
Type: String
Update requires: No interruption
