Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Outbound Identity Federation OpenID Configuration seems to be not valid

1

We have enabled outbound identity federation for an account and want to use the token issuer URL to configure an OIDC IdP on another service.

The issuer URL however is rejected by the other service provider.

Upon inspection, we see that that OpenID configuration (https://<redacted>.tokens.sts.global.api.aws/.well-known/openid-configuration) is not valid. It is missing fields REQUIRED by the OAuth 2.0 standard: response_types_supported, authorization_endpoint and token_endpoint. (See https://datatracker.ietf.org/doc/html/rfc8414/#section-2)

Here is the configuration I have at https://<redacted>.tokens.sts.global.api.aws/.well-known/openid-configuration:

The question is, what do we miss here? Is it a bug or do AWS use a different protocol and not OAuth 2.0 for outbound identity federation?

{
  "claims_supported": [
    "sub",
    "iss",
    "aud",
    "exp",
    "iat",
    "jti",
    "https://sts.amazonaws.com/"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "ES384"
  ],
  "issuer": "https://<redacted>.tokens.sts.global.api.aws",
  "jwks_uri": "https://<redacted>.tokens.sts.global.api.aws/.well-known/jwks.json",
  "subject_types_supported": [
    "public"
  ]
}
Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
asked 2 months ago113 views
2 Answers
11
Accepted Answer

What you are seeing is NOT a bug; it is a result of how AWS implements Outbound Identity Federation (specifically via IAM Roles Anywhere or IAM Identity Center).

The short answer is: AWS Outbound Identity Federation uses a "Headless" or "Token-Only" OIDC implementation. It is designed for programmatic exchange, not for the interactive browser-based flows (like Authorization Code Flow) that most OIDC Identity Providers support.

1. Why those fields are missing?

The RFC you cited (RFC 8414) and the OIDC Discovery specification define authorization_endpoint and response_types_supported as REQUIRED. However, those fields only make sense if the Identity Provider (IdP) supports a "front-channel" (a browser redirecting a user to a login page). AWS Outbound Federation is strictly a "back-channel" mechanism.

  • No Authorization Endpoint: AWS does not host a login page where a user enters a username/password to get a code.
  • No Token Endpoint: You don't "exchange" a code for a token at a public endpoint via a POST request in the traditional sense. Instead, AWS generates the token internally (via the STS service) and hands it to the caller or attaches it to the workload.

2. Is it a different protocol?

It is still technically OIDC/JWT, but it adheres to the "Self-Issued" or "Static" IdP pattern. In standard OIDC, the Flow is:

Client -> Authorization Endpoint -> Token Endpoint -> Token In AWS Outbound Federation, the flow is: AWS Service/Workload -> STS (generates JWT) -> Third-party Service

The third-party service provider (SP) is expected to be a "Resource Server" that validates the token locally using the jwks_uri. It does not need to "talk" to AWS to get the token; it only needs to "talk" to AWS to get the public keys to verify the signature.

3. Why your Service Provider is rejecting it?

Many commercial SaaS platforms (like GitHub, GitLab, or generic OIDC integrations) use OIDC libraries that strictly enforce the presence of the authorization_endpoint. If they don't see that field, they assume the Discovery document is malformed and abort.

4. How to fix/work around this:

If the service provider you are connecting to requires a "full" OIDC Discovery document, you have three options:

  • Manual Configuration: If the Service Provider allows it, do not use the "Discovery URL." Instead, manually input the Issuer URL and the JWKS URL. Most libraries that allow manual entry only require the JWKS to validate the signature.
  • The "Mock" Discovery Proxy: Some users host a small JSON file (e.g., in an S3 bucket or via a Lambda) that mirrors the AWS config but adds "dummy" values for the missing fields:
"authorization_endpoint": "https://example.com/unused",
"response_types_supported": ["id_token"],
"token_endpoint": "https://example.com/unused"

If the SP only uses the document to validate the issuer, this trick often works.

  • Verify the Use Case: Outbound Federation is primarily meant for Workload Identity (e.g., an AWS Lambda calling a non-AWS API). If you are trying to set up User SSO (where a human logs into a dashboard), you should be using AWS IAM Identity Center (SAML/OIDC), which provides a full, standard-compliant discovery document.
EXPERT
answered 2 months ago
  • LWfromAWS
    2 months ago

    Hello IAM service team here! this is the correct answer!

  • Artium
    2 months ago

    Thank you! Was not able to overcome the issue yet. But the answer is very insightful.

1

We'd love to know what service you're trying to use with IAM Outbound federation. per Florians answer, very intentionally this is not-oauth 2. But we'd love to know more about what you're trying to do to see if we can fit improving it in our roadmap, or give you advice on what you can do instead.

AWS
answered 2 months ago
  • Artium
    2 months ago

    Hello, we also opened a support ticket, so you might see duplicate request through a different channel. We are trying to use IAM Outbound federation with Ali Cloud (Aliyun). The process requires creating an IdP on Aliyuns side and giving it the token issuer URL. From my observation, there are two fails there: 1. Automatically obtaining the fingerprint fails because they validates the Issuer URL against supported types and *.tokens.sts.global.api.aws is not considered supported by them (they assume it is for internal use, IAM Outbound federation is new so I suspect it got missed), this can be worked around by using the API for creating the IdP (their API allows providing your own fingerprint). 2. Missing fileds in the openID configuration. We attempted to work around this issue following Florian’s suggestion above, we re-hosted the configuration file and were able o create an IdP, however validating a token failed because Aliyun requires a strict match between the iss claim in the OIDC token and the issuer URL registered with the IdP (which is now the re-hosted configuration URL)

  • LWfromAWS
    2 months ago

    thanks! we'll look into it. Do you have any specific docs to the feature? that'd help us. Thanks! Is it AssumeRoleWithOIDC?

    and yes I believe I talked to the same person from AWS support unless there were multiple this week. But this week is the first i've heard of a provider requiring this.

    I can see why some may if what they want is true OAuth, but I am curious to learn more about the aliyun feature.

  • Artium
    a month ago

    @LWfromAWS This is the relevant documentation: https://www.alibabacloud.com/help/en/ram/overview-of-oidc-based-sso?spm=a2c63.p38356.help-menu-28625.d_3_3_1_0.33921f66VxXKHC. If you have an account, you can also try the API: https://api.alibabacloud.com/api/Ims/2019-08-15/CreateOIDCProvider Using the API requires you to calculate the fingerprint yourself, while through the console there is a button that calls an undocumented API GetOIDCIssuerCertFingerprint to do this automatically. And yes, after obtaining the token, getting credentials for Aliyun role is done with "AssumeRoleWithOIDC"(https://www.alibabacloud.com/help/en/ram/developer-reference/api-sts-2015-04-01-assumerolewithoidc)

  • LWfromAWS
    a month ago

    Artium thank you so much for getting back to us! We're going to take a look. We're not able to commit to a timeline or roadmap for this yet, but we're going to investigate it and take it seriously. that I can promise you.

    Alternatively, while we investigate I would strongly encourage you to follow up with support from Alibaba. For providers like AWS with IAM outbound federation, these claims in the oidc discovery doc are not relevant for us as we don't even have those endpoints they'd be asking for and for using similar flows from Azure/GCP they would be not relevant, though I concede they would be present as they offering OAuth and not just OIDC-based federation with JWTs.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content