How do I resolve OIDC IdP federation errors in IAM?

9 minute read

I want to troubleshoot the errors that I encounter when I use an OpenID Connect (OIDC) identity provider (IdP) in AWS Identity and Access Management (IAM).

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Important: Add /.well-known/openid-configuration to the end of your OIDC identity provider's URL to view the provider's configuration document and metadata.

"No OpenIDConnect provider found in your account"

If you don't correctly reference the OIDC IdP when you call the AssumeRoleWithWebIdentity API operation, then you receive the following error message:

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account"

To resolve this issue, take the following actions:

Check that you're passing the correct OIDC IdP's Amazon Resource Name (ARN) when you call the AssumeRoleWithWebIdentity API operation.
Note: A trailing slash is automatically added to the OIDC IdP's ARN when you use the AWS CLI for your configuration. The trailing slash isn't added when you use AWS SDKs.
Verify that the trust policy for the IAM role grants trust to principals that federate through the OIDC IdP.
Important: The OIDC IdP and the IAM role must be in the same AWS account.
Verify that the OIDC IdP's URL in the AWS Security Token Service (AWS STS) request matches the IAM OIDC IdP's URL.
Note: Sometimes the error message includes the URL that's in the AWS STS request.

"Please check .well-known/openid-configuration of provider: oidc_issuer_url is valid"

You receive the following error message when the OIDC IdP's URL is incorrect:

"Your request has a problem. Please see the following details. Please check .well-known/openid-configuration of provider: oidc_issuer_url is valid"

To resolve this issue, verify that the OIDC IdP's URL meets the following requirements:

Is unique within your account
Has the correct casing
Begins with https://
Doesn't contain a port number

If you still experience the issue, then take the following actions:

Add a trailing slash ( / ) to the end of the issuer's URL.
Manually obtain the OIDC IdP's thumbprint.
Create the OIDC IdP in the AWS CLI.

"Could not connect to openid configuration of provider: oidc_issuer_url"

You receive the following error message when the OIDC IdP's issuer uses a certificate chain that's out of order or includes duplicate or additional certificates:

"Your request has a problem. Please see the following details. Could not connect to openid configuration of provider: oidc_issuer_url"

To resolve this issue, complete the following steps:

Install and configure the OpenSSL command line tool.
Note: Replace keys.example.com with the URL that's mapped to jwks_uri in the OIDC IdP's metadata.

In the OpenSSL command line tool, run the openssl-s_client command to download the OIDC IdP's certificate chain:

openssl s_client -servername keys.example.com -showcerts -connect keys.example.com:443

Confirm that the OIDC IdP's certificate chain starts with the domain or issuer URL, then the intermediate certificate, and ends with the root certificate.

If the certificate chain order is different, then you receive a signature mismatch error and STS fails to validate the JSON Web Token (JWT). For more information about certificate chain standards, see certificate_list in the Server certificate section on the RFC Series website.

"The ID Token provided is not a valid JWT"

You receive the following error message because you encrypted the JWT, or the JWT uses unsupported characters when the OIDC IdP federates into IAM:

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: The ID Token provided is not a valid JWT"

To resolve this issue, take the following actions:

Format the JWT header parameter values as "string." Any other data type in the JWT header results in an error.
Run an online decoder tool to check the information that you passed in the JWT header.
Remove unnecessary header parameter values.

Note: Custom OIDCs support the signing algorithms: RS256, RS384, RS512, HS256, HS384, and HS512. OIDC federation into IAM doesn't support encrypted JWTs.

"Couldn't retrieve verification key from your identity provider"

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements"

You can get the preceding error message for the following reasons:

The OIDC IdP's .well-known and jwks_uri endpoints aren't accessible from the public internet.
A custom firewall is blocking the API request.
There's more than 5 seconds of latency in the API requests from the OIDC IdP to the STS endpoint.
AWS STS can't verify the OIDC IdP's key because the JSON Web Key Set (JWKS) has a large number of keys that cause requests to throttle.

To resolve these issues, take the following actions:

Verify that the OIDC IdP's .well-known and jwks_uri endpoints are publicly accessible.
Check the firewall settings to confirm that the domains aren't on a deny list.
Check the latency for the total operation. Use exponential backoff if needed.
Remove unnecessary keys from the JWKS, and test the configuration.

For more information about how to this error message, see How do I resolve the AWS STS AssumeRoleWithWebIdentity API call error "InvalidIdentityToken"?

Note: AWS CloudTrail doesn't log the "InvalidIdentityToken" error because the failure happens on the client side.

"Unsupported condition keys used"

You receive the following error message when you use unsupported condition keys in the OIDC IdP's IAM role trust policy:

"An unknown error occurred for AssumeRoleWithWebIdentity: Unsupported condition keys used"

To resolve this issue, create a trust policy with available keys for AWS web identity federation.

"Incorrect token audience"

You receive the following error message when the JWT audience claim doesn't match the unique identifier of an application that uses the OIDC IdP:

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience"

To check the IAM OIDC IdP's audience, run the following get-open-id-connect-provider command:

aws iam get-open-id-connect-provider --open-id-connect-provider-arn OIDC_ARN_Example-provider

Note: Replace OIDC_ARN_Example-provider with the ARN of your OIDC IdP.

The audience value must match the application's client ID.

"Returned thumbprint (too large for IAM)."

You receive the "Returned thumbprint (too large for IAM)." error message when you add an incorrect thumbprint to the OIDC IdP in IAM.

To resolve this issue, make sure that you're using the correct thumbprint. To manually get the thumbprint, see obtain certificate thumbprint.

For more information, see Obtain the thumbprint for an OpenID Connect identity provider.

"Token audience contains more than one audience while authorized party is not present"

You receive the following error message when you define more than one audience in a JWT token:

"InvalidIdentityToken: Token audience contains more than one audience while authorized party is not present"

AWS doesn't support JWT tokens with multiple audiences, but you can configure an OIDC IdP with multiple client IDs as audiences.

To resolve this issue, complete the following steps:

Define only one audience in the JWT token.
Register each of your applications with a separate OIDC IdP so that users can sign in from more than one IdP.
Create and manage the OIDC IdP, and configure different IAM roles for each audience value if needed.

"Unable to configure OpenID Connect configuration with a private application"

You receive the following error message when the OIDC IdP is private because the .well-known/openid-configuration and jwks_uri endpoints aren't publicly accessible over the internet:

"Unable to configure OpenID Connect configuration with a private application (For example: Gitlab instance)"

To resolve this issue, take the following actions:

Configure the .well-known/openid-configuration and jwks_uri endpoints to be accessible over the internet.
Note: IAM doesn't support proxy configurations for OIDC federation into IAM. Even when you manually add a thumbprint, the subsequent AssumeRoleWithWebIdentity requests to STS still fail because the jwks_uri endpoint isn't publicly accessible. STS can't validate the signature in the JWT to issue credentials.
Use Amazon Cognito to generate client credentials that you can use to federate from your application to an Amazon Cognito user pool. In the user pool, you can assume a role from an Amazon Cognito identity pool that has access to specific AWS services in your account. For each application, you can use a unique client to authenticate into Amazon Cognito identity pools to differentiate between access levels.
Important: To authenticate into Amazon Cognito, you might need to perform additional coding because you must include Amazon Cognito in the application task.
Use AWS Private Certificate Authority to implement IAM Roles Anywhere.
Define an interface virtual private cloud (VPC) endpoint for AWS STS to keep your authentication traffic within a VPC.

"OpenIdInvalidIDPResponseException error"

You receive the following error message when the OIDC IdP's metadata is missing required attributes:

"OpenIdInvalidIDPResponseException error while obtaining the thumbprint of the IAM OIDC identity provider"

To resolve this issue, contact the OIDC IdP to determine the attributes that are missing. For more information about metadata patterns and required attributes, see Obtaining OpenID provider configuration information on the OpenID website.

"OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint"

You receive the following error message when the thumbprint in the OIDC IdP is expired or doesn't match the certificate authority:

"Invalid login token. OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint"

To resolve this issue, complete the following steps:

Manually obtain the certificate thumbprint.
Use UpdateOpenIDConnectProviderThumbprint to update the thumbprint to match the OIDC IdP.

"AccessDenied error logged for AssumeRoleWithWebIdentity"

You can get the "AccessDenied error logged for AssumeRoleWithWebIdentity" error message for the following reasons:

The IAM role ARN that's in the request parameter is incorrect.
The principal that runs the AssumeRoleWithWebIdentity action doesn't have sufficient permissions.
The DurationSeconds parameter value is greater than the maximum duration setting for the IAM role.

To resolve the preceding issues, take the following actions:

Include the correct IAM role ARN in the AssumeRoleWithWebIdentity action.
Note: Role ARNs are case sensitive.
To determine the required permissions for the AssumeRoleWithWebIdentity action, see the Permissions section of AssumeRoleWithWebIdentity.
If you use AWS Organizations, then check your service control policies (SCPs) to confirm that they include the required permissions.
If the request contains session tags, then allow aws:TagSession in the trust policy.
Make sure that the maximum session duration setting for the IAM role is always greater than or equal to the SessionDuration parameter.

Topics: Security, Identity, & Compliance
Tags: AWS Identity and Access Management
Language: English

AWS OFFICIALUpdated 4 months ago

No comments

Relevant content

AWS Cognito OIDC provider fails with "error_description=No+access+token+in+OAuth+IdP+response" when federating with Azure AD B2C Custom Policy
Yaroslav
asked 3 months ago
AccessDenied Error for IAM OIDC Provider in New AWS Account
Snoofy
asked a year ago
Cognito User Custom Attribute Doesn't Update from Federated IdP When OIDC Claim Doesn't Exist
Kevin Gao
asked 2 years ago
CDK stopped working after the switch authentication from IAM user to IAM Role (with OIDC)
Stanislav
asked a year ago
Cognito OIDC IdP connection error : invalid_request Invalid ProviderName/Username combination. Please check again
Romain
asked a year ago
How do I troubleshoot IAM "AccessDenied" or "Not authorized to perform AssumeRoleWithWebIdentity" federation errors from my identity provider?
AWS OFFICIALUpdated a year ago
How do I troubleshoot invalid SAML response errors that users receive when they federate into Amazon Cognito?
AWS OFFICIALUpdated 5 years ago
How do I get IdP-issued OIDC or social identity tokens for Amazon Cognito user pools?
AWS OFFICIALUpdated 2 years ago
How do I link or unlink external federated users to native Cognito users?
AWS OFFICIALUpdated 3 months ago
How to resolve the 'Failed to delete DataIntegration' error when deleting Amazon Q for Connect data integrations ?
SUPPORT ENGINEER
rajaws
published 6 months ago