How do I resolve errors related to OIDC IdP federation in IAM?

Resolution

You might encounter the following errors when you work with an OIDC IdP for federation with IAM.

Important: Add /.well-known/openid-configuration to the end of your OIDC identity provider's URL to see the provider's configuration document and metadata.

Note: Replace server.example.com with the OIDC identity provider's server name. Replace oidc_issuer_url with the OIDC identity provider's issuer URL.

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account."

This error occurs when the OIDC identity provider isn't referenced correctly when you call the AssumeRoleWithWebIdentity API operation.

To resolve the error, complete the following steps:

1. Check the OIDC identity provider's ARN that's passed when you call the AssumeRoleWithWebIdentity API operation.
   Note: A trailing slash is automatically added to the OIDC IdP's ARN when you use the AWS Command Line Interface (AWS CLI) for your configuration. The trailing slash isn't added when you use AWS SDKs.
   Note: If you receive errors when running AWS CLI commands, then confirm that you're running a recent version of the AWS CLI.
2. Verify that the trust policy for the IAM role grants trust to principals that federate through the OIDC identity provider.
   Important: Cross-account roles aren't supported. The OIDC identity provider and the IAM role must be in the same account.
3. Verify that the OIDC identity provider's URL passed in the AWS Security Token Service (AWS STS) request matches the IAM OIDC identity provider's URL. The URL in the AWS STS request might be included in the error message.

"Your request has a problem. Please see the following details. Please check .well-known/openid-configuration of provider: oidc_issuer_url is valid."

This error occurs when the OIDC identity provider's URL is incorrect.

To resolve the error, verify that OIDC identity provider's URL meets the following requirements:

• The URL is unique within your AWS Account.
• The URL has the correct casing.
• The URL begins with https://
• The URL doesn't contain a port number.

If the error persists, complete the following steps:

1. Add a trailing slash ( / ) to the end of the issuer's URL.
2. Manually obtain the OIDC identity provider's thumbprint.
3. Create the OIDC identity provider in the AWS CLI.

"Your request has a problem. Please see the following details. Could not connect to openid configuration of provider: oidc_issuer_url."

This error occurs when the OIDC identity provider's issuer presents a certificate chain that's out of order or includes duplicate or additional certificates.

To resolve the error, complete the following steps:

1. Install and configure the OpenSSL command line tool, if needed.
   Note: Replace keys.example.com with the URL that's mapped to jwks_uri in the OIDC identity provider's metadata.

2. In the OpenSSL command line tool, run the openssl-s_client command to download the OIDC identity provider's certificate chain.

   openssl s_client -servername keys.example.com -showcerts -connect keys.example.com:443

3. Verify the OIDC identity provider's certificate chain. The chain must start with the domain or issuer URL, then the intermediate certificate, and end with the root certificate.

If the certificate chain order is different, then you receive a signature mismatch error and STS fails to validate the JSON Web Token (JWT). For more information about certificate chain standards, see certificate_list in RFC 5246 on the RFC Series website.

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: The ID Token provided is not a valid JWT."

This error occurs when the JWT is encrypted or uses unsupported characters when the OIDC identity provider federates into IAM.

To resolve the error, complete the following steps:

1. Verify that the JWT header has parameter values formatted as "string." Any other data type in the JWT header results in an error.
2. Run an online decoder tool to check the information being passed in the JWT header.
3. Remove the unnecessary header parameter values or change the data type to string.

Note: Custom OIDCs support the following signing algorithms: RS256, RS384, RS512, HS256, HS384, and HS512. OIDC federation into IAM doesn't support encrypted JWTs.

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements."

You might encounter this error for the following reasons:

• The OIDC identity provider's .well-known and jwks_uri endpoints aren't accessible from the public internet.
• A custom firewall is blocking the API request.
• There's more than 5 seconds of latency in the API requests from the OIDC identity provider to the STS endpoint.
• Requests are throttled because the JSON Web Key Set (JWKS) has a large number of keys that prevent STS from verifying the OIDC IdP's key.

To resolve the error, complete the following steps:

1. Verify that the OIDC identity provider's .well-known and jwks_uri endpoints are publicly accessible.
2. Check the firewall settings to confirm that the domains aren't on a deny list.
3. Check the latency for the total operation. Use exponential backoff if needed.
4. Remove unnecessary keys from the JWKS and test the configuration.

For more information about resolving this error, see How can I resolve the AWS STS AssumeRoleWithWebIdentity API call error "InvalidIdentityToken"?

Note: This InvalidIdentityToken error isn't logged in the AWS CloudTrail log file because the failure happens on the client side.

"An unknown error occurred for AssumeRoleWithWebIdentity: Unsupported condition keys used."

This error occurs when you use unsupported condition keys in the OIDC identity provider's IAM role trust policy.

To resolve the error, construct a trust policy with available keys for AWS web identity federation.

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience."

This error occurs when the JWT aud (audience) claim doesn't match the unique identifier of an application that uses the OIDC identity provider.

To check the IAM OIDC provider's audience, run the following command:

aws iam get-open-id-connect-provider --open-id-connect-provider-arn OIDC_ARN_Example-provider

Note: Replace OIDC_ARN_Example-provider with the ARN of your OIDC provider.

The audience value must match the application's client ID.

"Returned thumbprint (too large for IAM)."

This error occurs when you try to manually add an incorrect thumbprint to the OIDC identity provider in IAM.

To resolve the error, manually obtain the thumbprint for your OIDC identity provider.

"InvalidIdentityToken: Token audience contains more than one audience while authorized party is not present."

This error occurs when more than one audience is defined in a JWT token. AWS doesn't support JWT tokens with multiple audiences, but you can configure an OIDC identity provider with multiple client IDs as audiences.

To resolve the error, complete the following steps:

1. Make sure that only one audience is defined in the JWT token.
2. Register each of your applications with a separate OIDC identity provider to allow users to sign in from more than one IdP.
3. Create and manage the OIDC identity provider and configure different IAM roles for each audience value, if needed.

Note: For more information about OIDC identity providers, see Creating a role for web identity or OIDC federation (console).

"Unable to configure OpenID Connect configuration with a private application (For example: Gitlab instance)."

This error occurs when the OIDC identity provider is private because the .well-known/openid-configuration and jwks_uri endpoints aren't publicly accessible over the internet.

To resolve the error, complete the following steps:

1. Configure the .well-known/openid-configuration and jwks_uri endpoints to be accessible over the internet.
   Note: Proxy configurations for OIDC federation into IAM aren't supported. Adding a thumbprint manually doesn't help as the subsequent AssumeRoleWithWebIdentity requests to STS still fail because the jwks_uri endpoint isn't publicly accessible. STS can't validate the signature in the JWT to issue credentials.
2. Add the required AWS IP addresses to an allowlist. Then use the AssumeRoleWithWebIdentity API operation to generate temporary credentials in your AWS account. Use the AWS IP address ranges for the IAM and STS service addresses.
3. Use Amazon Cognito to generate client credentials that you can use to federate from your application to an Amazon Cognito user pool. In the user pool, you can assume a role from an Amazon Cognito identity pool that has access to specific AWS roles in your account.
   You can use client credentials to authenticate into Amazon Cognito identity pools. With client credentials, you can use a unique client for each application to differentiate between access levels.
   Important: To authenticate into Amazon Cognito, you might need to perform additional coding because Amazon Cognito must be included in the application task.
4. Use a private certificate authority to implement IAM Roles Anywhere.
   Note: For more information about private certificate authority, see What is AWS Private CA?
5. Define an interface VPC endpoint for AWS STS to confine your authentication traffic through a VPC.
   Note: For more information, see Using AWS STS interface VPC endpoints.

"OpenIdInvalidIDPResponseException error while obtaining the thumbprint of the IAM OIDC identity provider."

This error occurs when the OIDC identity provider's metadata is missing required attributes. To resolve the error, complete the following steps:

1. Check the OIDC identity provider's metadata and required attributes.
2. If you discover missing attributes, contact the OIDC identity provider to discuss the missing information.
   Note: For more information about metadata patterns and required attributes, see Obtaining OpenID Provider Configuration Information in the OpenID Connect errata webpage.

"Invalid login token. OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint."

This error occurs when the thumbprint used in the OIDC identity provider is expired or doesn't match the certificate authority.

To resolve the error, complete the following steps:

1. Manually obtain the thumbprint.
2. Update the thumbprint against the OIDC identity provider with UpdateOpenIDConnectProviderThumbprint or the AWS Management Console.

"AccessDenied error logged for AssumeRoleWithWebIdentity."

You might encounter this error for the following reasons:

• The IAM role ARN that's passed in the request parameters is incorrect.
• There are insufficient permissions configured on the principal that runs the AssumeRoleWithWebIdentity action.
• The DurationSeconds parameter value is greater than the maximum duration setting for the IAM role.

To resolve the error, complete the following steps:

1. Make sure that the correct IAM role ARN is passed in the AssumeRoleWithWebIdentity action.
   Note: Role ARNs are case sensitive.
2. Verify that the necessary IAM permissions are set.
3. Check service control policies (SCPs).
4. Verify that aws:TagSession is allowed in the trust policy when the request contains session tags.
5. Make sure that the maximum session duration setting for the IAM role is always greater than or equal to the SessionDuration parameter.