aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard
verified publisher icon aws

(aws_elasticloadbalancingv2): authenticate_oidc SessionTimeout requires different type if used in Listener or ListenerRule

Open peterfranzen opened this issue 3 years ago • 4 comments

Describe the bug

I'm creating an elbv2 ListenerAction with CDK v2.38.1 as follows:

action=elbv2.ListenerAction.authenticate_oidc(
                    authorization_endpoint="https://example.com/",
                    client_id= client_id,
                    client_secret=client_secret,
                    issuer="https://my.issuer",
                    token_endpoint="https://my/token",
                    user_info_endpoint="https://my/userinfo",
                    session_timeout=Duration.minutes(60),
                    next=elbv2.ListenerAction.redirect(...)

No matter what I put in for the session_timeout parameter it gives an error. If I use an int or a string then it asks for a Duration, but if I use a Duration I get an error saying it "should be a number".

Expected Behavior

Allow me to use a Duration (e.g. Duration.minutes(60)) object for session_timeout.

Current Behavior

When I use a Duration object (e.g. Duration.minutes(60)) I get the following error:

authenticateOidcConfig: supplied properties not correct for "AuthenticateOidcConfigProperty" sessionTimeout: "3600" should be a number.

Reproduction Steps

Use a Duration object in the sesttion_timeout parameter field in a elbv2.ListenerAction.authenticate_oidc.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.38.1

Framework Version

No response

Node.js Version

n/a

OS

MacOS

Language

Python

Language Version

No response

Other information

No response

peterfranzen avatar Aug 25 '22 21:08 peterfranzen

Hey @peterfranzen, I'm unable to reproduce this with Python on the same version. Can you try reinstalling your packages, or are you able to reproduce this on a fresh project? Thanks.

Here's my code which synthesizes

        elbv2.ListenerAction.authenticate_oidc(
          authorization_endpoint='asdfasdf',
          client_id='asfasdf',
          client_secret=secrets.Secret(self, 'Secret').secret_value,
          issuer='asdfas',
          token_endpoint='asdgseg',
          user_info_endpoint='fsdgaeg',
          next=elbv2.ListenerAction.forward([group]),
          session_timeout=Duration.minutes(60)
        )

peterwoodworth avatar Aug 25 '22 22:08 peterwoodworth

Thanks, I isolated this a bit more and I have a little more context. When I create just that construct alone it does work with no errors.

However, I'm creating a number of elbv2.ApplicationListenerRules in a for loop. When I exclude the session_timeout variable the loop works and each of my ListenerRules synth just fine, but when I do include the Duration object then I get the error. The following does not work:

for rule in ruleList:
    AppRedirectRule = elbv2.ApplicationListenerRule(self, rule['rulename'],
                ...
                action=elbv2.ListenerAction.authenticate_oidc(
                    authorization_endpoint='asdfasdf',
                    client_id='asfasdf',
                    client_secret=secrets.Secret(self, 'Secret').secret_value,
                    issuer='asdfas',
                    token_endpoint='asdgseg',
                    user_info_endpoint='fsdgaeg',
                    next=elbv2.ListenerAction.forward([group]),
                    session_timeout=Duration.minutes(60)
            )

Am I approaching creating this wrong? Is there something about Duration that doesn't allow it to be used within a loop? The Duration error comes up even if the loop only runs once.

peterfranzen avatar Aug 25 '22 22:08 peterfranzen

Ok I think I figured out what's going wrong

We take in the Duration passed by the user, convert it to seconds, and pass it as a string here https://github.com/aws/aws-cdk/blob/d48690e9027c6fd7ea85b44f0ad5f2bb6308d95a/packages/%40aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener-action.ts#L44

CloudFormation specifies that Listener.AuthenticateOidcConfig takes in a string for SessionTimeout

https://github.com/aws/aws-cdk/blob/d48690e9027c6fd7ea85b44f0ad5f2bb6308d95a/packages/%40aws-cdk/cfnspec/spec-source/specification/000_cfn/000_official/000_AWS_ElasticLoadBalancingV2.json#L163-L168

However CloudFormation specifies that ListenerRule.AuthenticateOidcConfig takes in a number

https://github.com/aws/aws-cdk/blob/d48690e9027c6fd7ea85b44f0ad5f2bb6308d95a/packages/%40aws-cdk/cfnspec/spec-source/specification/000_cfn/000_official/000_AWS_ElasticLoadBalancingV2.json#L487-L492

We are trying to pass in this duration as a string into ListenerRule.AuthenticateOidcConfig, which will break because it is expecting a number. We need to ensure that this is generated as a number if used in a ListenerRule

peterwoodworth avatar Aug 25 '22 23:08 peterwoodworth

Same issue as here -> https://github.com/aws/aws-cdk/issues/12843 ??

blamarao avatar Sep 22 '22 16:09 blamarao

@blamarao Yes, this looks identical to #12843, which was reported against CDK v1. It is still present in CDK 2.43.1

mwebber avatar Oct 11 '22 12:10 mwebber

@peterwoodworth This issue is fixed at v2.77.0. Could you close this issue?

WinterYukky avatar May 01 '23 05:05 WinterYukky

thanks!

peterwoodworth avatar May 01 '23 16:05 peterwoodworth

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar May 01 '23 16:05 github-actions[bot]