HTTP 561 Unauthorized (AWS ELB) — What It Means & How to Fix It

Fix AWS Elastic Load Balancer HTTP 561 error returned when the ALB's built-in authentication with OIDC or Cognito fails. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: HTTP 561 is returned by AWS Application Load Balancer when its built-in authentication action fails. This occurs when using ALB's authenticate-oidc or authenticate-cognito listener rule actions. The user's identity provider (IdP) returned an error during the authentication flow. Unlike a standard 401, this indicates the ALB itself could not complete the auth handshake. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: Identity provider (Cognito, Okta, Auth0) is misconfigured or unreachable. OAuth2 client ID or client secret in the ALB listener rule is incorrect. Token endpoint of the IdP is returning errors or timing out. User is not authorized in the IdP and the authentication callback fails. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Check the ALB listener rule's authentication action for correct IdP endpoint URLs. Verify the OAuth2 client ID and client secret match the IdP application registration. Test the IdP's token endpoint directly using curl to ensure it is responding correctly. Review the IdP's logs (Cognito, Okta dashboard) for the specific authentication failure reason. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.