Question

我正在尝试通过Aws ALB + Cognito对Lambda进行身份验证。当我启动DNS服务器时，它会将我重定向到登录页面，我可以注册并验证用户。另外，我可以看到该用户已添加到userpool中的用户。登录后，显示500 Internal Server Error。我可以在日志中看到，转发给功能的默认操作是在后台执行。

不确定在验证用户身份后为什么不重定向/执行lambda。您能否提供一些见解，我会在此设置中缺少什么？

我已经在Terraform中设置了Lambda，ALB和Cognito。

resource "aws_cognito_user_pool" "pool" {
  name                       = "alb-test-userpool"
  alias_attributes = ["email", "preferred_username"]
  verification_message_template {
  default_email_option = "CONFIRM_WITH_CODE"
  }
  email_verification_subject = "Device Verification Code"
  email_verification_message = "Please use the following code {####}"
  sms_verification_message   = "{####} Baz"
  auto_verified_attributes   = ["email"]

  password_policy {
      minimum_length    = 8
      require_lowercase = false
      require_numbers   = false
      require_symbols   = false
      require_uppercase = false
    }
  tags {
    "Name"   = "alb pool"
    }
 schema {
  name                = "email"
  attribute_data_type = "String"
  mutable             = false
  required            = true
}
}

resource "aws_cognito_user_pool_client" "client" {
  name = "alb-test-user-client"
  user_pool_id = "${aws_cognito_user_pool.pool.id}"
  generate_secret = true
  allowed_oauth_flows_user_pool_client = true
  supported_identity_providers = ["COGNITO"]
  callback_urls = ["https://internal-****-****.us-west-2.elb.amazonaws.com/oauth2/idpresponse"]
  allowed_oauth_flows  = ["code"]
  allowed_oauth_scopes = ["openid"]
  explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]
  allowed_oauth_flows_user_pool_client = true
}

resource "aws_cognito_user_pool_domain" "pool_domain" {
  domain          = "${var.domain}"
  user_pool_id    = "${aws_cognito_user_pool.pool.id}"
}

Answer 1

负载均衡器无法与IdP令牌端点或IdP用户信息端点进行通信。验证负载均衡器的安全组和VPC的网络ACL允许出站访问这些端点。验证您的VPC可以访问互联网。如果您有一个面向内部的负载均衡器，请使用NAT网关来启用Internet访问。

AWS docs about 500 issues

验证ALB + AWS Cognito时出现500错误

1 个答案: