Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

AssumeRoleWithWebIdentity uses azp instead of aud as audience

0

I have setup an Auth0 OpenID Connect identity provider for AWS Identity and Access Management. The identity provider has the endpoint dev-0lv18ee7j6vvczam.eu.auth0.com/, audience https://sts.amazonaws.com, and ARN arn:aws:iam::012345678901:oidc-provider/example.eu.auth0.com/ (some dummy values).

I then created an IAM role with the attached policy AmazonS3FullAccess and the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678901:oidc-provider/example.eu.auth0.com/"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "example.eu.auth0.com/:aud": "https://sts.amazonaws.com"
        }
      }
    }
  ]
}

As far as I understand, this policy should allow holders of tokens from the configured identity provider to call AssumeRoleWithWebIdentity and then call the S3 API with the returned credentials. My application now tries to call AssumeRoleWithWebIdentity with the following JWT issues by the identity provider (again, some dummy values):

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "<kid>"
}.{
  "iss": "https://example.eu.auth0.com/",
  "sub": "<user-id>",
  "aud": [
    "https://sts.amazonaws.com",
    "https://example.eu.auth0.com/userinfo"
  ],
  "iat": 1678123413,
  "exp": 1678209813,
  "azp": "<client-id>",
  "scope": "openid"
}.[Signature]

However, the following error is returned:

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>Incorrect token audience</Message>
  </Error>
  <RequestId>...</RequestId>
</ErrorResponse>

Apparently, the audience in the JWT is incorrect, even though https://sts.amazonaws.com is contained in the JWT and configured in the trust policy and the identity provider. The same error occurs when removing the audience condition from the trust policy.

When changing the audience of the identity provider to the client ID of the application requesting the token, the AssumeRoleWithWebIdentity call works. If adding back the audience check in the trust policy, it only works if checking against the client ID of the application there as well (azp in the token). Why is the aud claim in the token ignored completely? Is there anything I can do about this?

Tópicos
Segurança, identidade e conformidade
Tags
AWS Identity and Access Management
Idioma
English
Felix
feita há um ano309 visualizações
1 Resposta
0

Have observed issue with specifying multiple token audiences.... it gets parsed incorrectly at times.

  "aud": [
    "https://sts.amazonaws.com",
    "https://example.eu.auth0.com/userinfo"
  ],

Test using just the sts.amazonaws.com as the aud and check?

AWS
abeowlu
respondido há um ano

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante