I have no issue in using my OIDC Provider ID Tokens to access Google STS tokens or as an extern IdP for AWS Cognito. However, when I try to use my OIDC Provider's ID Token with the AssumeRoleWithWebIdentity API call, I get the above error.
As per existing information on this error, this is caused if AWS is unable to access the OIDC metadata. However, as per the OIDC server logs, AWS STS accessed both the ./well-known/openid-configuration and the ./well-known/jwks.json endpoints before giving the above error. And I mentioned, there is no problem with Google ID federation.
Any help in resolving this issue is greatly appreciated. I see that others have posted similar queries 2 years ago, so this appears to be a long standing problem.
The relevant config info and ID Token are as follows:
OIDC openid-configuration:
wget https://oidc.svasys.com:/.well-known/openid-configuration
{
"issuer": "https://oidc.svasys.com",
"authorization_endpoint": "https://oidc.svasys.com/authorize",
"token_endpoint": "https://oidc.svasys.com/token",
"userinfo_endpoint": "https://oidc.svasys.com/userinfo",
"jwks_uri": "https://oidc.svasys.com/.well-known/jwks.json",
"scopes_supported": ["openid"],
"response_types_supported": ["id_token"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"]
}
OIDC jwks.json:
wget https://oidc.svasys.com:/.well-known/jwks.json
{"keys": [
{"kty": "RSA",
"use": "sig",
"alg": "RS256",
"kid": "22886a89d060ce7096ec78bfce7cea3498f926f0",
"key_ops": ["verify"],
"n": "oGGg7Bynho4uAS3y_z83LVl4yHJ0XxBnfeJvYCSHGtF09U6tdZTtmsJ_TtTdCZ9xZGjFrmst8zbijZACkfm0Ii5UASEfXY7vXMinW0LyHXOMh89Rc9CYZlE-6ZItjLrcUh0B45UT2xR_TV-oCwwfodLgZdWyjrMzIFppdkBYzTIzPVWm6oVV9T--cOuo_OAehQ_MZztc08NjMkG6KLaj0DrBYXo0pStVVyOYPL2pNuCBjCHuVHqxY2Us9zJzYDf2jA-bG1cHoblXUztF6kkQiuKZXl_MXeZBj_cRIyMnytsMEwH67DhMsWk2MOKs77WcEPYn4c2JgQaXeSIX-_fEPw",
"e": "AQAB",
"x5c": ["MIIDdjCCAl6gAwIBAgIUKlw+DpnYT9zltxZyApK9xrNFIKUwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxETAPBgNVBAcMCE1vbm1vdXRoMQ8wDQYDVQQKDAZzdmFTeXMxEzARBgNVBAMMCnN2YXN5cy5jb20wHhcNMjQwMTEzMTUyMzAzWhcNMjUwMTEyMTUyMzAzWjBbMQswCQYDVQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTERMA8GA1UEBwwITW9ubW91dGgxDzANBgNVBAoMBnN2YVN5czETMBEGA1UEAwwKc3Zhc3lzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBhoOwcp4aOLgEt8v8/Ny1ZeMhydF8QZ33ib2AkhxrRdPVOrXWU7ZrCf07U3QmfcWRoxa5rLfM24o2QApH5tCIuVAEhH12O71zIp1tC8h1zjIfPUXPQmGZRPumSLYy63FIdAeOVE9sUf01fqAsMH6HS4GXVso6zMyBaaXZAWM0yMz1VpuqFVfU/vnDrqPzgHoUPzGc7XNPDYzJBuii2o9A6wWF6NKUrVVcjmDy9qTbggYwh7lR6sWNlLPcyc2A39owPmxtXB6G5V1M7RepJEIrimV5fzF3mQY/3ESMjJ8rbDBMB+uw4TLFpNjDirO+1nBD2J+HNiYEGl3kiF/v3xD8CAwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU5Pp6SlnknQC6ZeM74Zd1NkOlkAcwDQYJKoZIhvcNAQELBQADggEBAATjJ8BCw/Da+OpVcFO1E7YrbsJ/ic6UGeUq71f0tsg/KzXslqXvjOEq21G358VflR3hOpNac19w/eXSHk8d7Fw4yfEdJew8CsiaG+ghaSnG3VrxS6G5PzgIELqi6g5ehLtIfNY9UpW3a+15UOuap0n0GbPEPiG+wlQYrsnAdPwGjq+n+H1gfOFo6C/nAMGXSMcGeGXmTiWgaynY9EpndnPImwfiMSDkEnqynxXnQB2knPYwuScxHX+O/AGU4KcyaH1gzIBD0kBxFe8nkbpy7uS8ttSgaJd5ptFv75I1b6RR+IQf0S7XW1nLCbb408pYoAT3lNYpJUGxq2s4/kp1upA="],
"x5t": "IohqidBgznCW7Hi_znzqNJj5JvA",
"x5t#S256": "36xaWa6gcpWQXf3uUSipvIkx8CyXEHZldkvr3nFxLsU"}
]}
AssumeRoleWithWebIdentity Parameters:
{
'RoleArn': 'arn:aws:iam::091794101906:role/aws_myoidc_id',
'RoleSessionName': 'test',
'WebIdentityToken': 'eyJhbGciOiAiUlMyNTYiLCAidHlwIjogIkpXVCIsICJraWQiOiAiMjI4ODZhODlkMDYwY2U3MDk2ZWM3OGJmY2U3Y2VhMzQ5OGY5MjZmMCIsICJ4NXQiOiAiSW9ocWlkQmd6bkNXN0hpX3puenFOSmo1SnZBIn0.eyJzdWIiOiAiYXdzX215b2lkY19pZCIsICJuYW1lIjogInRlc3QiLCAiaWF0IjogMTcwNTE1OTQzMCwgImV4cCI6IDE3MDUxNjAwMzAsICJhdWQiOiAiYXdzX3N2YXN5c19pZCIsICJpc3MiOiAiaHR0cHM6Ly9vaWRjLnN2YXN5cy5jb20iLCAiYW1yIjogWyJwd2QiLCAib3RwIl0sICJqdGkiOiAiNVZ6OTR1T0xTOCIsICJ0b2tlbl91c2UiOiAiaWQiLCAiYXV0aF90aW1lIjogMTcwNTE1OTQzMCwgImVtYWlsX3ZlcmlmaWVkIjogdHJ1ZSwgImVtYWlsIjogInJlc2VhcmNoQHN2YXN5cy5jb20ifQ.Vw8B_vE9T7GKNxPsQ2W7SrD_m7OFcNmusKRtUnsHhrQe3dW6Le2M6YQo5HuooX5X05V9hvMnzj1SojyReHwfmj3NbT62ExEaHXZ3FPxgR1eKn8kOCIuo9Qphd5AKgf1uf4m7MoxfzMS9oaf7EzLw7VQwSJvCc82Z5MuZmrt9WKj17xgCDpKnv4PqXb_m8OfX1rogYUD9UgW2HzklxBhawTMYLf5T4xyLJ9R1CqWLgdqhbxi9c8fgH-aIfkVllA2C-RbRKdHLR36nNN1JE5Sh2Ngd78QNd0lDBiKkr4ejpW00mN9UwuE0eU_wvcFHyyRiQ1a6uCx6HxBbAbe_kD5R7w', 'DurationSeconds': 1000
}
Which IDP? My OIDC IDP provides the jwks and they are accessible from the web by AWS, and in fact, my server logs show access by AWS STS to both the openid-configuration and jwks.json endpoints. Google IDP has no issues accessing the jwks and validating and federarting using my OIDC IDP. The issue is only with AWS.