Solved: NextJS App Login Timeout When Deployed to ECS behind ALB

Greetings, and thanks in advance for any insight you can provide!

I have a NextJS application authenticating via Auth0. We utilize both page and api auth handlers. Everything work beautifully running local in dev mode. Ditto with a local build running in docker in production mode.

When we deploy to our AWS Dev environment - an ECS Fargate task behind an HTTP ALB, callback and logout URLs updated in Auth0 - our unsecured landing page comes up with no problem. When we navigate to our /dashboard page, we are forwarded to our /api/auth/login?returnTo=%2Fdashboard route as expected. The page spins for a moment, before returning an HTTP 400 error with the following message: Timeout awaiting 'request' for 5000ms.

We are never redirected to the Auth0 endpoint for username and password. Directly hitting our /api/auth/login route gives the same error.

I suspect this has something to do with the ALB, but cannot confirm because our ECS isn’t publicly accessible so I can’t isolate it. If I don’t have any better options in the morning, I will try creating a publicly accessible ECS task to rule out the ALB.

Any pointers or suggestions would be much appreciated. Thank you!

If it helps, we are hitting the ALB via it’s auto generated DNS name. For the same reason, we are testing via HTTP until we get a custom domain and cert.

Quick update - I am able to hit the normal login flow against the ECS task public IP directly. Something is happening on the ALB side. I am in the process of setting up the subdomain and SSL certs now, and will update here when I know more. Any input from the community would be much appreciated!

I have secured the dev subdomain and certs and got all that setup in our domain provider and route 53. This makes configuration and access much simpler, but the same timeout error is occurring, so it doesn’t appear to be SSL related.

Is there an Auth0 application setting that must be configured additionally when behind an ALB? I have our new domain setup in the callbacks and logout URL lists. But it appears that whatever request the NextJS-Auth0 package is making to Auth0 APIs is timing out for some reason.

Well, after a lot of caffeine and some help from friends, we got to the root of the issue. Turns out it had nothing to do with the ALB, but that the private subnets did not have a NAT gateway configured so the underlying tasks were unable to hit Auth0 directly to enable the redirect. The ALB just revealed the issue by giving us ingress to the app itself.

1 Like

Glad to hear that! Thanks for sharing with the rest of community!