By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AssumeRoleWithWebIdentity uses azp instead of aud as audience

0

I have setup an Auth0 OpenID Connect identity provider for AWS Identity and Access Management. The identity provider has the endpoint dev-0lv18ee7j6vvczam.eu.auth0.com/, audience https://sts.amazonaws.com, and ARN arn:aws:iam::012345678901:oidc-provider/example.eu.auth0.com/ (some dummy values).

I then created an IAM role with the attached policy AmazonS3FullAccess and the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678901:oidc-provider/example.eu.auth0.com/"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "example.eu.auth0.com/:aud": "https://sts.amazonaws.com"
        }
      }
    }
  ]
}

As far as I understand, this policy should allow holders of tokens from the configured identity provider to call AssumeRoleWithWebIdentity and then call the S3 API with the returned credentials. My application now tries to call AssumeRoleWithWebIdentity with the following JWT issues by the identity provider (again, some dummy values):

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "<kid>"
}.{
  "iss": "https://example.eu.auth0.com/",
  "sub": "<user-id>",
  "aud": [
    "https://sts.amazonaws.com",
    "https://example.eu.auth0.com/userinfo"
  ],
  "iat": 1678123413,
  "exp": 1678209813,
  "azp": "<client-id>",
  "scope": "openid"
}.[Signature]

However, the following error is returned:

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>Incorrect token audience</Message>
  </Error>
  <RequestId>...</RequestId>
</ErrorResponse>

Apparently, the audience in the JWT is incorrect, even though https://sts.amazonaws.com is contained in the JWT and configured in the trust policy and the identity provider. The same error occurs when removing the audience condition from the trust policy.

When changing the audience of the identity provider to the client ID of the application requesting the token, the AssumeRoleWithWebIdentity call works. If adding back the audience check in the trust policy, it only works if checking against the client ID of the application there as well (azp in the token). Why is the aud claim in the token ignored completely? Is there anything I can do about this?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
Felix
asked a year ago300 views
1 Answer
0

Have observed issue with specifying multiple token audiences.... it gets parsed incorrectly at times.

  "aud": [
    "https://sts.amazonaws.com",
    "https://example.eu.auth0.com/userinfo"
  ],

Test using just the sts.amazonaws.com as the aud and check?

AWS
abeowlu
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content