DVA-C02 · Question #365
A company has an internal website that contains sensitive data. The company wants to make the website public. The company must ensure that only employees who authenticate through the company's OpenID
The correct answer is B. Create a public Application Load Balancer. C. Configure a listener for the load balancer that listens on HTTPS port 443. Add a default. An Application Load Balancer with an HTTPS listener and an authenticate-oidc action handles the OIDC authentication flow transparently before forwarding requests to the target, requiring no changes to the website code.
Question
A company has an internal website that contains sensitive data. The company wants to make the website public. The company must ensure that only employees who authenticate through the company's OpenID Connect (OIDC) identity provider (IdP) can access the website. A developer needs to implement authentication without editing the website. Which combination of steps will meet these requirements? (Choose two.)
Options
- ACreate a public Network Load Balancer.
- BCreate a public Application Load Balancer.
- CConfigure a listener for the load balancer that listens on HTTPS port 443. Add a default
- DConfigure a listener for the load balancer that listens on HTTP port 80. Add a default authenticate
- EConfigure a listener for the load balancer that listens on HTTPS port 443. Add a default AWS
How the community answered
(38 responses)- A8% (3)
- B50% (19)
- D16% (6)
- E26% (10)
Why each option
An Application Load Balancer with an HTTPS listener and an authenticate-oidc action handles the OIDC authentication flow transparently before forwarding requests to the target, requiring no changes to the website code.
Network Load Balancers operate at Layer 4 (TCP/UDP) and have no capability to inspect HTTP headers or implement application-layer authentication flows such as OIDC.
Application Load Balancers natively support OIDC and SAML-based authentication via listener rules; when an unauthenticated request arrives, the ALB redirects the user to the IdP, handles the token exchange, and only forwards the request to the backend after successful authentication.
OIDC authentication on an ALB listener requires HTTPS (port 443) because the IdP redirect flow exchanges authorization codes and tokens that must be protected in transit; the authenticate-oidc action in the listener rule triggers the full OIDC authorization code flow against the configured IdP.
OIDC authentication requires HTTPS because tokens and authorization codes transmitted over HTTP port 80 would be exposed to interception; AWS also requires HTTPS listeners for the authenticate-oidc action.
AWS WAF evaluates web requests against security rules (SQL injection, XSS, IP blocking) but does not implement identity-based authentication flows or integrate with OIDC identity providers.
Concept tested: ALB native OIDC authentication without application code changes
Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
Community Discussion
No community discussion yet for this question.