AWS OIDC authentication failure (Incorrect token audience) with two applications #3100
Labels
Comments
bagajjal
added
bug
ashishdhingra
added
needs-reproduction
|
@bagajjal You mentioned |
|
@ashishdhingra , AAD access token v2 is introduced to support consumer accounts (user@hotmail.com). Looking at the AAD token presented to AWS, there is not much difference except that "idp" is populated in the AAD V1 access token but not in the AAD V2 access token. Screenshot
Please look at the video recording using AAD access token v1 and access token v2. |
|
@ashishdhingra , any update? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Please refer to #3071.
#3071 (comment)
#3071 (comment)
I apologize if this issue seems out of place here. If it is, please inform me of the appropriate GitHub repository to move this issue.
I'm currently working on implementing AWS OIDC authentication with Azure AD (AAD) as the OpenID provider. I have two applications (appId1, appId2). When using appId1 to authenticate with AAD, I obtain a token for appId2, meaning that the AAD access token has appId2 as its audience. Subsequently, I invoke AssumeRoleWithWebIdentityAsync() by providing the AAD access token. This configuration functions properly with AAD access token V1 but encounters issues with AAD access token V2 i.e., AWS OIDC authentication was successful using AAD access token V1 but not with AAD access token V2.
When utilizing AAD access token V2, if I employ appId2 for authentication with AAD and obtain a token for itself (where the AAD access token has appId2 as its audience) and present this token, the AWS OIDC authentication succeeds.
I have confirmed that my AWS account has the correct OIDC authentication configuration. Specifically, I have added appId2 to the OIDC clientID list, and appId2 has been granted assumeRole permissions to the AWS IAM role.
This seems to be a bug in the AWS OIDC authentication using AAD V2 access tokens using two AAD applications.
Please look into the attached document for more details,
AWS_V2_accesstoken_error.docx
Expected Behavior
AWS OIDC authentication should succeed.
Current Behavior
AWS OIDC authentication fails with "Incorrect token audience" if we use AAD v2 access token with 2 applications.
Reproduction Steps
Create 2 applications in AAD, Azure AD.
Using appId1 credentials authenticate with AD and request token for appId2. i.e., AAD will return AAD V2 access token with audience as appId2.
Now call the AssumeRoleWithWebIdentityAsync()
AWS OIDC authentication call fails with "Incorrect token audience".
Possible Solution
No response
Additional Information/Context
No response
AWS .NET SDK and/or Package version used
"AWSSDK.SecurityToken" Version="3.7.102.2"
Targeted .NET Platform
.NET 7
Operating System and version
windows 11
The text was updated successfully, but these errors were encountered: