Can I register an IDP with multiple certificates on AWS IAM

Question

What I have is:  
  
An OpenId Complaint service (Rest) that provides tokens  
This service has multiple certificates (keyPairs) for signing tokens depending on some factors when requesting a token  
- The service is implementing the 2 OpenId Endpoints (well known and certs)  
What I did:  
  
I registered the service as an IDP on AWS IAM service successfully (hence my two OpenId Endpoints are working other wise AWS wont accept the IDP)  
I created roles on IAM that are to be assumed using the IDP service tokens  
I got two tokens from the IDP service to be used for assuming role (each signed with different key)  
Problem:  
  
AssumeRole is failing and I'm getting invalid token exception for both tokens.  
I tried to set the "kid" claim in the tokens each with the corresponding kid of the certificate and it didn't work :(.  
  
Note:  
  
I'm assuming role using Java AWS API  
When I remove one of the certificates (from the below sample response) the remaining certificate works fine. So the problem is with having 2 certs, but I need to have two certificates and AWS should have a way of working with such case I just don't know how.  
Sample of how my certs endpoint looks like:  
  
{    
    "keys": \[  
        {  
            "kid": "kid",  
            "kty": "kty",  
            "use": "use",  
            "alg": "alg",  
            "n": "nValue",  
            "e": "eValue",  
            "x5c": \[  
               "cert1"  
            ],  
            "x5t": "x5t=",  
            "x5t#S256": "x5t#S256"  
        },  
        {  
            "kid": "kid1",  
            "kty": "kty",  
            "use": "use",  
            "alg": "alg",  
            "n": "nValue",  
            "e": "eValue",  
            "x5c": \[  
                "cert2"  
            ],  
            "x5t": "x5t=",  
            "x5t#S256": "x5t#S256"  
        }  
    ]  
}  
  
Edited by: hfakih on Feb 10, 2020 6:49 AM

Answer

So the problem was that I tried to set the kid in the "claims" of the JWT.  
  
However it turned out that ,in order for AWS to distinguish that this JWT was signed with this key (from the jwks response), it checks in the headers of the JWT. If a kid is found in the header then it looks in the jwk response for the certificate with the corresponding kid.  
  
So to solve the issue I just had to set the kid of in the "headers" of the JWT.  
  
So if you are in java :  
  
public String buildToken(Key key) {  
    Map claims = new HashMap();  
    Map headers = new HashMap();  
  
    claims.put(claimName, someClaim);  
    ...  
    headers.put(KID, KID_OF_THIS_TOKENS_CERTIFICATE);  
    ...  
    return Jwts.builder().setClaims(claims).setHeader(headers).signWith(SignatureAlgorithm.RS256, key).compact();  
}

Can I register an IDP with multiple certificates on AWS IAM

관련 콘텐츠