InvalidIdentityTokenException Using fromWebToken

Question

I'm trying to get short-term credentials from STS using fromWebToken in Javascript v3 SDK. I'm getting:
 InvalidIdentityTokenException: The ID Token provided is not a valid JWT. (You may see this error if you sent an Access Token)

```
const getTokenFromIdp = async () =>  {
    const token = await auth.tokenManager.get("idToken");
    return(token.idToken);
  }

var oidcCredentials = fromWebToken({
    roleArn: "arn:aws:iam::2222333344445556:role/OIDCroleReadS3",
    roleSessionName: "session_111",
    durationSeconds: 7200,
    webIdentityToken:  getTokenFromIdp()
  })

const s3client = new S3({
    region: "us-east-2",
    credentials:  oidcCredentials,
  });
```
Here's the decoded JWT:

```
{
  "sub": "00u3xs70zpX2OiH1n697",
  "name": "Fred Flint",
  "email": "fred.flint@atko.email",
  "ver": 1,
  "iss": "https://cis.demo-connect.us/oauth2/default",
  "aud": "0oa49zm0l8U4WHON5697",
  "iat": 1679326542,
  "exp": 1679330142,
  "jti": "ID.jl6Jdp2W9AQn9PgtoUk70JMSakxkXDzFXhxHkqhPG6I",
  "amr": [
    "swk"
  ],
  "idp": "00o3xs70qnrVWzeJf697",
  "nonce": "PqcXAaUIs6lOLvvddQF6r64eEDBKgrB6veq6B02uP7RjwxatgL4YVlkWtQYpTfEf",
  "preferred_username": "fred.flint@atko.email",
  "auth_time": 1679326540,
  "at_hash": "lBn-EyIp98zRI9FqfAUOlw"
}
```

If I copy the encoded token value from console log returned from getTokenFromIdp() and hardcode the webIdentityToken property, the STS accepts the value. The token value is good when I test in jwt.io, so I'm confident that it's a valid identity token. Is there some other property check that could be failing that would give me this error message?  I've seen a separate error message for audience mismatch, so I don't think that's a problem here.

BTW, in the example at https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_Examples, the WebIdentityToken doesn't look like a JWT.  Thanks!

Answer

You're encountering an error where AWS STS is rejecting your ID token as invalid, even though it appears valid when decoded and tested manually. The issue likely arises from asynchronous token retrieval. Ensure that your token retrieval function completes before passing it to `fromWebToken()`. This timing problem may cause STS to receive an incomplete or invalid token. Modify your code to await the token retrieval function before passing it to `fromWebToken()`. This ensures the token is fully retrieved and ready for use, resolving the issue.

```
const getTokenFromIdp = async () => {
  const token = await auth.tokenManager.get("idToken");
  return token.idToken;
}

const getCredentials = async () => {
  const webIdentityToken = await getTokenFromIdp();
  const oidcCredentials = fromWebToken({
    roleArn: "arn:aws:iam::2222333344445556:role/OIDCroleReadS3",
    roleSessionName: "session_111",
    durationSeconds: 7200,
    webIdentityToken: webIdentityToken
  });

return oidcCredentials;
}

const main = async () => {
  const credentials = await getCredentials();
  const s3client = new S3({
    region: "us-east-2",
    credentials: credentials,
  });

// Now you can use the S3 client with the obtained credentials
}

main();

```

InvalidIdentityTokenException Using fromWebToken

관련 콘텐츠