ECS服务无法从Cognito获取配置。

huangapple go评论61阅读模式
英文:

ECS Service can't obtain configuration from Cognito

问题

我有一个.NET应用程序,其中有AddAuthentication()和UseAuthentication()用于我的应用程序。用户使用Cognito进行身份验证。

当我从本地计算机运行我的应用程序并附加到Cognito用户池时,它能够正常工作。

但是,当我尝试通过ECS中部署的DNS名称连接到相同的应用程序时,我总是遇到以下问题:

System.InvalidOperationException: 无法从'https://cognito-idp.eu-central-1.amazonaws.com/{userPoolId}/.well-known/openid-configuration'获取配置。

我的ALB中的所有IPv4地址都已在80和433端口上列入白名单。希望能够获得解决此问题的方向。

谢谢!

**更新**:ECS集群位于默认VPC中,具有指向IGW的公共子网路由。在同一集群中,我有一些计划任务,它们能够调用外部API而没有任何问题。
英文:

I have a .NET application which has AddAuthentication() and UseAuthentication() for my application. Users are authenticated using Cognito.

  services
            .AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(options =>
            {
                options.RequireHttpsMetadata = true;
                options.MapInboundClaims = false;
                options.Authority = _config.Cognito.Authority;
                options.MetadataAddress = _config.Cognito.Metadata;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    RoleClaimType = "cognito:groups",
                    NameClaimType = "username",
                    ValidateIssuer = true,
                    ValidateAudience = false,
                    RequireExpirationTime = false
                };
            });

When I run my application from a local machine and attach to cognito user pool, then it works like a charm.

As soon as I try to connect to the same application by DNS name deployed in ECS, I always face the following issue:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://cognito-idp.eu-central-1.amazonaws.com/{userPoolId}/.well-known/openid-configuration'.

All ipv4 addresses are whitelisted for 80 and 433 ports in my ALB. Would be amazing to get the direction how to deal with the issue.

Thanks!

UPDATE: ECS cluster is placed in default VPC and a public subnets with routes to IGW. In the same cluster, I have few scheduled tasks that are able to call external APIs without any issues.

答案1

得分: 1

所有IPv4地址都已在我的ALB中列入白名单,用于80和433端口。

该错误与您的ALB完全无关。您的服务器正试图连接到该URL以下载OpenID配置数据。服务器正在尝试连接到该URL,这与负载均衡器无关。负载均衡器仅涉及传入连接及其响应,不涉及传出连接。

由于该URL存在于VPC之外,ECS任务需要以以下两种方式之一进行配置,以使其能够访问VPC之外的资源:

  • 启用公共IP地址,并部署在公共VPC子网中(具有指向Internet网关的路由的子网)。
  • 部署在私有VPC子网中,并具有指向NAT网关的路由(NAT网关需要位于公共子网中)。
英文:

> All ipv4 addresses are whitelisted for 80 and 433 ports in my ALB.

That error is completely unrelated to your ALB. Your server is trying to connect to that URL to download the OpenID configuration data. The server is initiating a connection to that URL, which does not involve the load balancer at all. Load balancers are only involved with incoming connections and their responses, not outgoing connections.

Since that URL exists outside of the VPC, the ECS task needs to be configured in one of the two following ways, in order to give it network access to resources outside of the VPC:

  • Have public IP address enabled, and be deployed in a public VPC subnet (a subnet with a route to an Internet Gateway)
  • Be deployed in a private VPC subnet with a route to a NAT Gateway (the NAT Gateway would need to be in a public subnet)

答案2

得分: 0

问题已经解决。一旦将网络类型从AWS_VPC更改为BRIDGE,我的ECS服务立即开始与互联网发送和接收流量。非常感谢Mark引导我走上了正确的道路。

英文:

Finally, the issue has been solved. As soon as update the network type from AWS_VPC to BRIDGE, my ECS service started to send and receive traffic from the internet. Many thanks to Mark for heading me to the right direction.

huangapple
  • 本文由 发表于 2023年6月25日 21:35:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/76550670.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定