AWS ALB Pre-Authentication - 561 Authentication Error

[Raffael Grob]

Hello

I configured the AWS Application Loadbalancer to authenticate an app using Keycloak.

When accessing the app, the Keycloak login works on Keycloak but when returning to the app, I see 561 Authentication Error. I guess, the error occures when the ALB requests the Access Token. 

The ALB has access to the Keycloak Endpoints. The Problem is, that I can't see any error in the Keycloak (TRACE)-Logs. 

In a earlier Post: https://groups.google.com/g/keycloak-user/c/tQTWcEvsL6g  the same issue has been mentioned. The proposed solution at this time was to create a custom Mapper. This is quite an expensive approach. Has anybody found another way to fix this? Or - can someone confirm that a custom OIDCAccessTokenResponseMapper fixed the issue?

Thanks for helping here!

Raffael

[Raffael Grob]

It turned out that this issue is a AWS WAF issue and not a Keycloak issue: The rule "awswaf:managed:aws:core-rule-set:NoUserAgent_Header" was triggered as the ALB did not send a UserAgent.

Still unresolved is how the ALB can provide a UserAgent - looking for such a solution now.

But for those having a similar setup INTERNET->AWSWAF-ALB->KEYCLOAK - this can be a pitfall when using AWS Provided WAF Rules.

The good thing is that Keycloak isn't the problem.