"Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements" error

Question

I have no issue in using my OIDC Provider ID Tokens to access Google STS tokens or as an extern IdP for AWS Cognito. However, when I try to use my OIDC Provider's ID Token with the AssumeRoleWithWebIdentity API call, I get the above error.

As per existing information on this error, this is caused if AWS is unable to access the OIDC metadata. However, as per the  OIDC server logs, AWS STS accessed both the ./well-known/openid-configuration and the ./well-known/jwks.json endpoints before giving the above error. And I mentioned, there is no problem with Google ID federation.

Any help in resolving this issue is greatly appreciated. I see that others have posted similar queries 2 years ago, so this appears to be a long standing problem.

The relevant config info and ID Token are as follows:

OIDC openid-configuration:  
wget https://oidc.svasys.com:/.well-known/openid-configuration
{
"issuer": "https://oidc.svasys.com", 
"authorization_endpoint": "https://oidc.svasys.com/authorize", 
"token_endpoint": "https://oidc.svasys.com/token", 
"userinfo_endpoint": "https://oidc.svasys.com/userinfo",
 "jwks_uri": "https://oidc.svasys.com/.well-known/jwks.json", 
"scopes_supported": ["openid"], 
"response_types_supported": ["id_token"], 
"subject_types_supported": ["public"], 
"id_token_signing_alg_values_supported": ["RS256"]
}

OIDC jwks.json:
wget https://oidc.svasys.com:/.well-known/jwks.json
{"keys": [
{"kty": "RSA",
"use": "sig",
"alg": "RS256",
"kid": "22886a89d060ce7096ec78bfce7cea3498f926f0",
"key_ops": ["verify"],
"n": "oGGg7Bynho4uAS3y_z83LVl4yHJ0XxBnfeJvYCSHGtF09U6tdZTtmsJ_TtTdCZ9xZGjFrmst8zbijZACkfm0Ii5UASEfXY7vXMinW0LyHXOMh89Rc9CYZlE-6ZItjLrcUh0B45UT2xR_TV-oCwwfodLgZdWyjrMzIFppdkBYzTIzPVWm6oVV9T--cOuo_OAehQ_MZztc08NjMkG6KLaj0DrBYXo0pStVVyOYPL2pNuCBjCHuVHqxY2Us9zJzYDf2jA-bG1cHoblXUztF6kkQiuKZXl_MXeZBj_cRIyMnytsMEwH67DhMsWk2MOKs77WcEPYn4c2JgQaXeSIX-_fEPw",
"e": "AQAB",
"x5c": ["MIIDdjCCAl6gAwIBAgIUKlw+DpnYT9zltxZyApK9xrNFIKUwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxETAPBgNVBAcMCE1vbm1vdXRoMQ8wDQYDVQQKDAZzdmFTeXMxEzARBgNVBAMMCnN2YXN5cy5jb20wHhcNMjQwMTEzMTUyMzAzWhcNMjUwMTEyMTUyMzAzWjBbMQswCQYDVQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTERMA8GA1UEBwwITW9ubW91dGgxDzANBgNVBAoMBnN2YVN5czETMBEGA1UEAwwKc3Zhc3lzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBhoOwcp4aOLgEt8v8/Ny1ZeMhydF8QZ33ib2AkhxrRdPVOrXWU7ZrCf07U3QmfcWRoxa5rLfM24o2QApH5tCIuVAEhH12O71zIp1tC8h1zjIfPUXPQmGZRPumSLYy63FIdAeOVE9sUf01fqAsMH6HS4GXVso6zMyBaaXZAWM0yMz1VpuqFVfU/vnDrqPzgHoUPzGc7XNPDYzJBuii2o9A6wWF6NKUrVVcjmDy9qTbggYwh7lR6sWNlLPcyc2A39owPmxtXB6G5V1M7RepJEIrimV5fzF3mQY/3ESMjJ8rbDBMB+uw4TLFpNjDirO+1nBD2J+HNiYEGl3kiF/v3xD8CAwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU5Pp6SlnknQC6ZeM74Zd1NkOlkAcwDQYJKoZIhvcNAQELBQADggEBAATjJ8BCw/Da+OpVcFO1E7YrbsJ/ic6UGeUq71f0tsg/KzXslqXvjOEq21G358VflR3hOpNac19w/eXSHk8d7Fw4yfEdJew8CsiaG+ghaSnG3VrxS6G5PzgIELqi6g5ehLtIfNY9UpW3a+15UOuap0n0GbPEPiG+wlQYrsnAdPwGjq+n+H1gfOFo6C/nAMGXSMcGeGXmTiWgaynY9EpndnPImwfiMSDkEnqynxXnQB2knPYwuScxHX+O/AGU4KcyaH1gzIBD0kBxFe8nkbpy7uS8ttSgaJd5ptFv75I1b6RR+IQf0S7XW1nLCbb408pYoAT3lNYpJUGxq2s4/kp1upA="],
"x5t": "IohqidBgznCW7Hi_znzqNJj5JvA",
"x5t#S256": "36xaWa6gcpWQXf3uUSipvIkx8CyXEHZldkvr3nFxLsU"}
]}

AssumeRoleWithWebIdentity Parameters:
{
'RoleArn': 'arn:aws:iam::091794101906:role/aws_myoidc_id', 
'RoleSessionName': 'test', 
'WebIdentityToken': 'eyJhbGciOiAiUlMyNTYiLCAidHlwIjogIkpXVCIsICJraWQiOiAiMjI4ODZhODlkMDYwY2U3MDk2ZWM3OGJmY2U3Y2VhMzQ5OGY5MjZmMCIsICJ4NXQiOiAiSW9ocWlkQmd6bkNXN0hpX3puenFOSmo1SnZBIn0.eyJzdWIiOiAiYXdzX215b2lkY19pZCIsICJuYW1lIjogInRlc3QiLCAiaWF0IjogMTcwNTE1OTQzMCwgImV4cCI6IDE3MDUxNjAwMzAsICJhdWQiOiAiYXdzX3N2YXN5c19pZCIsICJpc3MiOiAiaHR0cHM6Ly9vaWRjLnN2YXN5cy5jb20iLCAiYW1yIjogWyJwd2QiLCAib3RwIl0sICJqdGkiOiAiNVZ6OTR1T0xTOCIsICJ0b2tlbl91c2UiOiAiaWQiLCAiYXV0aF90aW1lIjogMTcwNTE1OTQzMCwgImVtYWlsX3ZlcmlmaWVkIjogdHJ1ZSwgImVtYWlsIjogInJlc2VhcmNoQHN2YXN5cy5jb20ifQ.Vw8B_vE9T7GKNxPsQ2W7SrD_m7OFcNmusKRtUnsHhrQe3dW6Le2M6YQo5HuooX5X05V9hvMnzj1SojyReHwfmj3NbT62ExEaHXZ3FPxgR1eKn8kOCIuo9Qphd5AKgf1uf4m7MoxfzMS9oaf7EzLw7VQwSJvCc82Z5MuZmrt9WKj17xgCDpKnv4PqXb_m8OfX1rogYUD9UgW2HzklxBhawTMYLf5T4xyLJ9R1CqWLgdqhbxi9c8fgH-aIfkVllA2C-RbRKdHLR36nNN1JE5Sh2Ngd78QNd0lDBiKkr4ejpW00mN9UwuE0eU_wvcFHyyRiQ1a6uCx6HxBbAbe_kD5R7w', 'DurationSeconds': 1000
}

Answer

Are those jwks URLs accesible by the IDP? You can try to expose the the well known configuration publicly (they should contain public key ingi after all).

Answer

I think the issue is the `"key_ops": ["verify"]` in your jwks.json.

I was getting:

```
StatusCode: 400, RequestID: 1a7f23fb-028e-49c0-8684-b452176a529e, InvalidIdentityToken: Couldn't retrieve verification key from your identity provider,  please reference AssumeRoleWithWebIdentity documentation for requirements
```

When I have `key_ops` in my jwks.json

I removed the `key_ops` and now it works

"Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements" error

Contenido relevante