How Practical is Using Application Load Balancer for JWT Authentication?

While it's great that ALB supports JWT now, it feels a bit half-baked. The ALB doesn't decode the JWT claims and pass them as headers to the backend, which means apps still need to handle that. It's decent advancement but could be a lot more effective, much like how API Gateway does it.

Absolutely! Using ALB for this means it can tackle the heavy lifting of bad token decryption, allowing your application to just focus on authorization. The app verifies the claims but trusts that the ALB has handled the basic authentication. Kind of like how API Gateway works with Lambda functions.

Yep, that’s a pretty standard approach. By putting unauthenticated endpoints behind an ALB that handles authentication, you’re taking the security out of the application’s hands and simplifying things. Your app only checks for a valid JWT, instead of managing the entire authentication process.

That’s a new feature! ALB’s JWT authentication is mainly geared towards machine-to-machine interactions, which wasn't possible before. Previously, you needed a real user to get a cookie through a browser session. Now, it broadens the use cases significantly for backend services.

Previously, ALB acted as an OAuth client, creating user sessions and forwarding authenticated identities to targets. Now, it can also serve as an OAuth resource, acting like a JWT authorizer. Before this, ALB couldn't validate JWTs for non-interactive accesses, but that's changed—ALB can now validate the JWT before sending the request upstream.