Are there any forms of "Sender Constraint" when issuing credentials with "AssumeRoleWithWebIdentity"?

Suppose I have a generic OIDC provider that mints ID Tokens and I pass one to AWS (through an AWS OIDC Provider and connecting something like a Cognito Identity Pool) to receive STS credentials in return.

When those credentials expire, I do it again and get new credentials.

Suppose I'm dumb, have an insecure app, or have dumb users falling for phishing scams and leaking out their OIDC ID Token. Are there any measures in place/possible to implement that prevents someone else from getting STS credentials using that same token? (i.e. MTLS, DPoP)

Topics

Security, Identity, & Compliance

Relevant content

How do I parse multiple group claims from an OIDC Token/Provider into an IAM Policy?
Brandon-Ellis-AI
asked 2 years ago
Getting OKTA OIDC scope "groups" passed through Cognito
Marcus DeManly
asked 3 months ago
AssumeRoleWithWebIdentity uses azp instead of aud as audience
Felix
asked a year ago
EKS and IAM OIDC provider and Token Expiration
Dunge
asked a year ago
How do I get IdP-issued OIDC or social identity tokens for Amazon Cognito user pools?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot an OIDC provider and IRSA in Amazon EKS?
AWS OFFICIALUpdated 3 months ago
How do I troubleshoot sender ID issues when I send SMS messages in Amazon SNS?
AWS OFFICIALUpdated 5 months ago
How do I resolve errors related to OIDC IdP federation in IAM?
AWS OFFICIALUpdated 4 months ago
AWS Account Activation - Locating AWS Account ID and Troubleshooting Phone Verification Issues
EXPERT
dnyanesh-db
published 5 months ago
Explained: AWS IoT Custom Authorizer with Cryptographic Token Validation
EXPERT
Paco
published a year ago